Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
P0HV8mjHS1.exe

Overview

General Information

Sample name:P0HV8mjHS1.exe
renamed because original name is a hash value
Original sample name:1d201eba6524ce8727dadf2031fc2b4a.exe
Analysis ID:1575788
MD5:1d201eba6524ce8727dadf2031fc2b4a
SHA1:dc6d2a38a1a9a1b8d934c565eaf027e0c7328980
SHA256:1d010229450de58155efd24ab76f0d4fa00b7da73e48f93a5660d2a5a9714881
Tags:exeuser-abuse_ch
Infos:

Detection

Credential Flusher
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Credential Flusher
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Connects to many different domains
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
OS version to string mapping found (often used in BOTs)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • P0HV8mjHS1.exe (PID: 7604 cmdline: "C:\Users\user\Desktop\P0HV8mjHS1.exe" MD5: 1D201EBA6524CE8727DADF2031FC2B4A)
    • taskkill.exe (PID: 7752 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 1436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 2996 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 6004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 280 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 6712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 6604 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 6812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 7208 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 7416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • firefox.exe (PID: 8156 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • firefox.exe (PID: 5844 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
    • firefox.exe (PID: 7332 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
      • firefox.exe (PID: 6344 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2276 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2172 -prefsLen 25358 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ad7f508-ae10-4797-94a8-42f485d40445} 7332 "\\.\pipe\gecko-crash-server-pipe.7332" 1569726f510 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
      • firefox.exe (PID: 8868 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3676 -parentBuildID 20230927232528 -prefsHandle 3720 -prefMapHandle 4092 -prefsLen 26373 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7f145a7-2cf0-440e-8897-25c02c759692} 7332 "\\.\pipe\gecko-crash-server-pipe.7332" 156a956c510 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
      • firefox.exe (PID: 8556 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5096 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4832 -prefMapHandle 5108 -prefsLen 33184 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cea3218c-8734-46eb-8bf4-f4aef17ce0d4} 7332 "\\.\pipe\gecko-crash-server-pipe.7332" 156af813b10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: P0HV8mjHS1.exe PID: 7604JoeSecurity_CredentialFlusherYara detected Credential FlusherJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: P0HV8mjHS1.exeAvira: detected
    Multi AV Scanner detection for submitted file
    Source: P0HV8mjHS1.exeReversingLabs: Detection: 47%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.7% probability
    Machine Learning detection for sample
    Source: P0HV8mjHS1.exeJoe Sandbox ML: detected
    Source: P0HV8mjHS1.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.10:49738 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.10:49742 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.10:49770 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.10:49785 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.10:49784 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.10:49823 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.10:49824 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.10:49826 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.10:49832 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.10:49834 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.10:49833 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.10:49835 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.10:49837 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.10:49907 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.10:49908 version: TLS 1.2
    Source: Binary string: UxTheme.pdb source: firefox.exe, 0000000E.00000003.1558461375.00000156A9149000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: rsaenh.pdb source: firefox.exe, 0000000E.00000003.1562470132.00000156AA8A7000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: wininet.pdb source: firefox.exe, 0000000E.00000003.1555793671.00000156AA512000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: UMPDC.pdb source: firefox.exe, 0000000E.00000003.1555996830.00000156A9BC2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: userenv.pdb@ source: firefox.exe, 0000000E.00000003.1563932432.00000156A96BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557801487.00000156A96BA000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb source: firefox.exe, 0000000E.00000003.1557801487.00000156A96AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564017930.00000156A96AC000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdb source: firefox.exe, 0000000E.00000003.1558930582.00000156A8FF2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: rpcrt4.pdb source: firefox.exe, 0000000E.00000003.1558930582.00000156A8FF2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.1564103988.00000156A9689000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557995398.00000156A967A000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: WscApi.pdb source: firefox.exe, 0000000E.00000003.1563181985.00000156A97D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1556928342.00000156A9B2D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557015355.00000156A97D2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: ktmw32.pdb source: firefox.exe, 0000000E.00000003.1558058028.00000156A955A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1558058028.00000156A9566000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.1570568985.00000156A966C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1587931229.00000156A4968000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: freebl3.pdbP4 source: firefox.exe, 0000000E.00000003.1555996830.00000156A9BF0000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.1570568985.00000156A966C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1585579606.00000156A4968000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb source: firefox.exe, 0000000E.00000003.1558930582.00000156A8FF2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 0000000E.00000003.1581856892.00000156A78F7000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.1546731436.00000156B2901000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: xul.pdb source: firefox.exe, 0000000E.00000003.1558058028.00000156A955A000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: nssckbi.pdb source: firefox.exe, 0000000E.00000003.1555793671.00000156AA512000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: shcore.pdb source: firefox.exe, 0000000E.00000003.1558461375.00000156A915C000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: mozglue.pdb source: firefox.exe, 0000000E.00000003.1558930582.00000156A8FF2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: dbgcore.pdbP4 source: firefox.exe, 0000000E.00000003.1570703714.00000156A9628000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: winnsi.pdb source: firefox.exe, 0000000E.00000003.1564103988.00000156A9689000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557995398.00000156A967A000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: dcomp.pdb source: firefox.exe, 0000000E.00000003.1563932432.00000156A96BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557801487.00000156A96BA000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: cryptsp.pdb source: firefox.exe, 0000000E.00000003.1562470132.00000156AA8A7000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb source: firefox.exe, 0000000E.00000003.1558461375.00000156A9149000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: sspicli.pdb source: firefox.exe, 0000000E.00000003.1555793671.00000156AA512000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1555482241.00000156AA608000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 0000000E.00000003.1581856892.00000156A78F7000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: 8taskschd.pdb source: firefox.exe, 0000000E.00000003.1582422082.00000156A7891000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: ntmarta.pdb source: firefox.exe, 0000000E.00000003.1558461375.00000156A9149000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb source: firefox.exe, 0000000E.00000003.1570568985.00000156A966C000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: urlmon.pdb source: firefox.exe, 0000000E.00000003.1556356300.00000156A9B98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1556356300.00000156A9B7B000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 0000000E.00000003.1581856892.00000156A78F7000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.1585579606.00000156A4968000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb source: firefox.exe, 0000000E.00000003.1564103988.00000156A9689000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557995398.00000156A967A000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: nlaapi.pdb source: firefox.exe, 0000000E.00000003.1564103988.00000156A9689000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557995398.00000156A967A000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: winhttp.pdb source: firefox.exe, 0000000E.00000003.1562470132.00000156AA8A7000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.1583620858.00000156B2901000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msimg32.pdb source: firefox.exe, 0000000E.00000003.1555996830.00000156A9BF0000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: firefox.exe, 0000000E.00000003.1580708780.00000156A7995000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: ntasn1.pdb source: firefox.exe, 0000000E.00000003.1555482241.00000156AA608000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1562849090.00000156AA6CE000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: devobj.pdb source: firefox.exe, 0000000E.00000003.1557801487.00000156A96AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564017930.00000156A96AC000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: win32u.pdb source: firefox.exe, 0000000E.00000003.1558930582.00000156A8FF2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: d3d11.pdb source: firefox.exe, 0000000E.00000003.1563181985.00000156A97D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557015355.00000156A97D2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.1583620858.00000156B2901000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dwmapi.pdb source: firefox.exe, 0000000E.00000003.1557801487.00000156A96AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564017930.00000156A96AC000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb@ source: firefox.exe, 0000000E.00000003.1570568985.00000156A966C000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb source: firefox.exe, 0000000E.00000003.1570703714.00000156A9628000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: srvcli.pdb source: firefox.exe, 0000000E.00000003.1556356300.00000156A9B98000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: wininet.pdbp, source: firefox.exe, 0000000E.00000003.1555793671.00000156AA512000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: imm32.pdb source: firefox.exe, 0000000E.00000003.1558461375.00000156A9149000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.1546731436.00000156B2901000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: freebl3.pdb source: firefox.exe, 0000000E.00000003.1555996830.00000156A9BC2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: gdi32.pdb source: firefox.exe, 0000000E.00000003.1558461375.00000156A9149000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1558930582.00000156A8FF2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: firefox.exe, 0000000E.00000003.1581856892.00000156A78F7000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb source: firefox.exe, 0000000E.00000003.1570568985.00000156A966C000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: avrt.pdb source: firefox.exe, 0000000E.00000003.1555482241.00000156AA608000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1562849090.00000156AA6CE000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: WLDP.pdb source: firefox.exe, 0000000E.00000003.1558461375.00000156A9149000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1558461375.00000156A915C000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: mswsock.pdb source: firefox.exe, 0000000E.00000003.1564103988.00000156A9689000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557995398.00000156A967A000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: sechost.pdb source: firefox.exe, 0000000E.00000003.1558930582.00000156A8FF2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: nsi.pdb source: firefox.exe, 0000000E.00000003.1564103988.00000156A9689000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557995398.00000156A967A000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
    Source: Binary string: winmm.pdb source: firefox.exe, 0000000E.00000003.1570568985.00000156A966C000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: winrnr.pdb source: firefox.exe, 0000000E.00000003.1564103988.00000156A9689000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557995398.00000156A967A000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: msctf.pdb source: firefox.exe, 0000000E.00000003.1557801487.00000156A96AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564017930.00000156A96AC000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 0000000E.00000003.1581856892.00000156A78F7000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: version.pdb source: firefox.exe, 0000000E.00000003.1570703714.00000156A9628000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: dbgcore.pdb source: firefox.exe, 0000000E.00000003.1570568985.00000156A966C000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: mscms.pdb source: firefox.exe, 0000000E.00000003.1563932432.00000156A96BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557801487.00000156A96BA000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: firefox.pdb^/gampad/.*xml_vmap1.*$ source: firefox.exe, 0000000E.00000003.1571003623.00000156A8C4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1566331167.00000156A8C4B000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: firefox.pdbp source: firefox.exe, 0000000E.00000003.1571003623.00000156A8C4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1566331167.00000156A8C4B000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: user32.pdb source: firefox.exe, 0000000E.00000003.1558930582.00000156A8FF2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: userenv.pdb` source: firefox.exe, 0000000E.00000003.1563932432.00000156A96BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557801487.00000156A96BA000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: twinapi.pdb source: firefox.exe, 0000000E.00000003.1557801487.00000156A96AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564017930.00000156A96AC000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: msasn1.pdb source: firefox.exe, 0000000E.00000003.1570703714.00000156A9628000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
    Source: Binary string: psapi.pdb source: firefox.exe, 0000000E.00000003.1570703714.00000156A9628000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: DWrite.pdb source: firefox.exe, 0000000E.00000003.1570568985.00000156A966C000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: ntdll.pdb source: firefox.exe, 0000000E.00000003.1582135528.00000156A789F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564739004.00000156A8F51000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: combase.pdb source: firefox.exe, 0000000E.00000003.1558461375.00000156A9149000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: dxgi.pdb source: firefox.exe, 0000000E.00000003.1563932432.00000156A96BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557801487.00000156A96BA000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.1587931229.00000156A4968000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ncrypt.pdb source: firefox.exe, 0000000E.00000003.1555482241.00000156AA608000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: 8linkinfo.pdb source: firefox.exe, 0000000E.00000003.1582422082.00000156A7891000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: crypt32.pdb source: firefox.exe, 0000000E.00000003.1558930582.00000156A8FF2000.00000004.00000800.00020000.00000000.sdmp
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C1DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C1DBBE
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BEC2A2 FindFirstFileExW,0_2_00BEC2A2
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C268EE FindFirstFileW,FindClose,0_2_00C268EE
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C2698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00C2698F
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C1D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C1D076
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C1D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C1D3A9
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C29642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C29642
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C2979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C2979D
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C29B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00C29B2B
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C25C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00C25C97
    Source: firefox.exeMemory has grown: Private usage: 1MB later: 217MB
    Source: unknownNetwork traffic detected: DNS query count 31
    Source: Joe Sandbox ViewIP Address: 151.101.1.91 151.101.1.91
    Source: Joe Sandbox ViewIP Address: 34.149.100.209 34.149.100.209
    Source: Joe Sandbox ViewIP Address: 34.117.188.166 34.117.188.166
    Source: Joe Sandbox ViewJA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C2CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00C2CE44
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: firefox.exe, 0000000E.00000003.1534994192.00000156AFA54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *://www.facebook.com/* equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1532965897.00000156B31CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1540763963.00000156AFB9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534994192.00000156AFAEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1532965897.00000156B31CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1540763963.00000156AFB9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534994192.00000156AFAEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1564739004.00000156A8F51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1575697642.00000156A8427000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1547727687.00000156AFB28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534233569.00000156AFB32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568292454.00000156AFB28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1547727687.00000156AFB28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534233569.00000156AFB32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568292454.00000156AFB28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1532965897.00000156B31CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1540763963.00000156AFB9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534994192.00000156AFAEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1532965897.00000156B31CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1540763963.00000156AFB9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534994192.00000156AFAEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
    Source: firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
    Source: firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
    Source: firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
    Source: firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2572373433.0000026FA910A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2572567940.000002329DB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2572373433.0000026FA910A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2572567940.000002329DB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
    Source: firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2572373433.0000026FA910A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2572567940.000002329DB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1564739004.00000156A8F51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1559343506.00000156B318B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1532965897.00000156B318B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1483913139.00000156A8B93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1429501604.00000156A8B93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1430935493.00000156A8B93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1559343506.00000156B318B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1532965897.00000156B318B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1566232872.00000156A8C60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1575697642.00000156A8427000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
    Source: global trafficDNS traffic detected: DNS query: detectportal.firefox.com
    Source: global trafficDNS traffic detected: DNS query: youtube.com
    Source: global trafficDNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
    Source: global trafficDNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
    Source: global trafficDNS traffic detected: DNS query: contile.services.mozilla.com
    Source: global trafficDNS traffic detected: DNS query: spocs.getpocket.com
    Source: global trafficDNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
    Source: global trafficDNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
    Source: global trafficDNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
    Source: global trafficDNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
    Source: global trafficDNS traffic detected: DNS query: example.org
    Source: global trafficDNS traffic detected: DNS query: ipv4only.arpa
    Source: global trafficDNS traffic detected: DNS query: shavar.services.mozilla.com
    Source: global trafficDNS traffic detected: DNS query: push.services.mozilla.com
    Source: global trafficDNS traffic detected: DNS query: support.mozilla.org
    Source: global trafficDNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
    Source: global trafficDNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
    Source: global trafficDNS traffic detected: DNS query: firefox.settings.services.mozilla.com
    Source: global trafficDNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
    Source: global trafficDNS traffic detected: DNS query: www.youtube.com
    Source: global trafficDNS traffic detected: DNS query: www.facebook.com
    Source: global trafficDNS traffic detected: DNS query: www.wikipedia.org
    Source: global trafficDNS traffic detected: DNS query: youtube-ui.l.google.com
    Source: global trafficDNS traffic detected: DNS query: dyna.wikimedia.org
    Source: global trafficDNS traffic detected: DNS query: star-mini.c10r.facebook.com
    Source: global trafficDNS traffic detected: DNS query: www.reddit.com
    Source: global trafficDNS traffic detected: DNS query: twitter.com
    Source: global trafficDNS traffic detected: DNS query: reddit.map.fastly.net
    Source: global trafficDNS traffic detected: DNS query: services.addons.mozilla.org
    Source: global trafficDNS traffic detected: DNS query: normandy.cdn.mozilla.net
    Source: global trafficDNS traffic detected: DNS query: normandy-cdn.services.mozilla.com
    Source: firefox.exe, 0000000E.00000003.1564198032.00000156A94BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: http://127.0.0.1:
    Source: firefox.exe, 0000000E.00000003.1563181985.00000156A97EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1578086606.00000156A97EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557015355.00000156A97EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a9.com/-/spec/opensearch/1.0/
    Source: firefox.exe, 0000000E.00000003.1563181985.00000156A97EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1578086606.00000156A97EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557015355.00000156A97EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a9.com/-/spec/opensearch/1.1/
    Source: firefox.exe, 0000000E.00000003.1563181985.00000156A97EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1578086606.00000156A97EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557015355.00000156A97EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.0/
    Source: firefox.exe, 0000000E.00000003.1563181985.00000156A97EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1578086606.00000156A97EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557015355.00000156A97EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.1/
    Source: firefox.exe, 0000000E.00000003.1540490569.00000156A48FB000.00000004.00000020.00020000.00000000.sdmp, gmpopenh264.dll.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: gmpopenh264.dll.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
    Source: firefox.exe, 0000000E.00000003.1540490569.00000156A48FB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1530794367.00000156A492D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
    Source: firefox.exe, 0000000E.00000003.1540490569.00000156A48FB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1530794367.00000156A492D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
    Source: gmpopenh264.dll.tmp.14.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
    Source: firefox.exe, 0000000E.00000003.1540490569.00000156A48FB000.00000004.00000020.00020000.00000000.sdmp, gmpopenh264.dll.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
    Source: firefox.exe, 0000000E.00000003.1540490569.00000156A48FB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1530794367.00000156A492D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
    Source: firefox.exe, 0000000E.00000003.1540490569.00000156A48FB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1530794367.00000156A492D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
    Source: gmpopenh264.dll.tmp.14.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
    Source: firefox.exe, 0000000E.00000003.1540490569.00000156A48FB000.00000004.00000020.00020000.00000000.sdmp, gmpopenh264.dll.tmp.14.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: gmpopenh264.dll.tmp.14.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
    Source: firefox.exe, 0000000E.00000003.1566331167.00000156A8C3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://detectportal.firefox.com
    Source: firefox.exe, 0000000E.00000003.1555482241.00000156AA608000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://detectportal.firefox.com/
    Source: firefox.exe, 0000000E.00000003.1575697642.00000156A8427000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1560422381.00000156AFB7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: http://detectportal.firefox.com/canonical.html
    Source: firefox.exe, 0000000E.00000003.1547727687.00000156AFBA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564427043.00000156A8FE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1560422381.00000156AFB7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
    Source: firefox.exe, 0000000E.00000003.1547727687.00000156AFBAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1560422381.00000156AFB7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
    Source: firefox.exe, 0000000E.00000003.1577226926.00000156AF845000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListener
    Source: firefox.exe, 0000000E.00000003.1577226926.00000156AF845000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListener
    Source: firefox.exe, 0000000E.00000003.1504206682.00000156A762B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mozilla.org
    Source: firefox.exe, 0000000E.00000003.1515988542.00000156A8ED4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1483913139.00000156A8B87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1384896644.00000156A72D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1384896644.00000156A72DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1583029186.00000156A7A1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1437230456.00000156A8EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1435855888.00000156A8EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1555632399.00000156AA532000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1562470132.00000156AA890000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1507977664.00000156AF653000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1530718851.00000156A8D8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1588538192.00000156A6F08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1543124826.00000156A7A39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1555139127.00000156AF756000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1539614641.00000156A8B9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1430935493.00000156A8B81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1588538192.00000156A6F3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1430935493.00000156A8B9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1433542927.00000156A8EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1415702076.00000156AF7AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1513085692.00000156A8ED0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mozilla.org/MPL/2.0/.
    Source: firefox.exe, 0000000E.00000003.1540490569.00000156A48FB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1530794367.00000156A492D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
    Source: firefox.exe, 0000000E.00000003.1540490569.00000156A48FB000.00000004.00000020.00020000.00000000.sdmp, gmpopenh264.dll.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: gmpopenh264.dll.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0N
    Source: firefox.exe, 0000000E.00000003.1540490569.00000156A48FB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1530794367.00000156A492D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
    Source: gmpopenh264.dll.tmp.14.drString found in binary or memory: http://ocsp.thawte.com0
    Source: firefox.exe, 0000000E.00000003.1536381746.00000156AF75B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1549917293.00000156AF75B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577740360.00000156AF771000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0
    Source: firefox.exe, 0000000E.00000003.1536381746.00000156AF75B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1549917293.00000156AF75B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577740360.00000156AF771000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
    Source: gmpopenh264.dll.tmp.14.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
    Source: gmpopenh264.dll.tmp.14.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
    Source: gmpopenh264.dll.tmp.14.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
    Source: gmpopenh264.dll.tmp.14.drString found in binary or memory: http://www.mozilla.com0
    Source: firefox.exe, 0000000E.00000003.1555482241.00000156AA608000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/2005/app-updatex
    Source: firefox.exe, 0000000E.00000003.1563181985.00000156A97EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1578086606.00000156A97EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557015355.00000156A97EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/2006/browser/search/
    Source: firefox.exe, 0000000E.00000003.1416582164.00000156A9689000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1571290885.00000156A8C15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
    Source: firefox.exe, 0000000E.00000003.1416582164.00000156A9627000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1570703714.00000156A9628000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul8
    Source: firefox.exe, 00000012.00000002.2577135018.0000026FA9EFC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1407772304.0000026FA9EFC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1408412049.0000026FA9EFC000.00000004.00000020.00020000.00000000.sdmp, mozilla-temp-41.14.drString found in binary or memory: http://www.videolan.org/x264.html
    Source: firefox.exe, 0000000E.00000003.1532965897.00000156B31CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1559211972.00000156B31D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
    Source: firefox.exe, 0000000E.00000003.1532965897.00000156B31CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1559211972.00000156B31D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
    Source: firefox.exe, 0000000E.00000003.1580820227.00000156A797D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://MD8.mozilla.org/1/m
    Source: firefox.exe, 0000000E.00000003.1376372239.00000156A6F20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376999532.00000156A6F7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376545699.00000156A6F3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376196675.00000156A6D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376707963.00000156A6F5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.duckduckgo.com/ac/
    Source: firefox.exe, 0000000E.00000003.1579676864.00000156A805E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.bellmedia.c
    Source: firefox.exe, 0000000E.00000003.1582422082.00000156A7891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.firefox.com
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://accounts.firefox.com/
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://accounts.firefox.com/settings/clients
    Source: firefox.exe, 0000000E.00000003.1555261648.00000156AA8F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.firefox.comK
    Source: firefox.exe, 0000000E.00000003.1529143614.00000156A8EBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1437892898.00000156A8E7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1436953388.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1434336566.00000156A8E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1513085692.00000156A8EBB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1440295306.00000156A8EB9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1434028220.00000156A8E99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1437892898.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1487850716.00000156A8E6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1416582164.00000156A9627000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1437376099.00000156A8EBB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1441364306.00000156A8EB9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1436184136.00000156A8EBB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1436448919.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1438696139.00000156A8EB9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1487850716.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1506100982.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1434437827.00000156A8E7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1516073407.00000156A8E7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
    Source: firefox.exe, 0000000E.00000003.1559343506.00000156B318B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1532965897.00000156B318B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/firefox/addon/enhancer-for-youtube/
    Source: firefox.exe, 0000000E.00000003.1559343506.00000156B318B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1532965897.00000156B318B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/firefox/addon/facebook-container/
    Source: firefox.exe, 0000000E.00000003.1559343506.00000156B318B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1532965897.00000156B318B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/
    Source: firefox.exe, 0000000E.00000003.1559343506.00000156B318B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1532965897.00000156B318B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/firefox/addon/to-google-translate/
    Source: firefox.exe, 0000000E.00000003.1559343506.00000156B318B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1532965897.00000156B318B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/firefox/addon/wikipedia-context-menu-search/
    Source: firefox.exe, 0000000E.00000003.1582135528.00000156A789F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ads-us.rd.linksynergy.com/as.php
    Source: firefox.exe, 0000000E.00000003.1564739004.00000156A8F51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1575697642.00000156A8427000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ads.stickyadstv.com/firefox-etp
    Source: firefox.exe, 0000000E.00000003.1561280442.00000156AFB0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://allegro.pl/
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://api.accounts.firefox.com/v1
    Source: firefox.exe, 0000000E.00000003.1532965897.00000156B318B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht
    Source: firefox.exe, 0000000E.00000003.1532965897.00000156B318B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://app.adjust.com/a8bxj8j?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
    Source: firefox.exe, 0000000E.00000003.1532889892.00000156B370B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1538297561.00000156AF576000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org
    Source: firefox.exe, 0000000E.00000003.1562185784.00000156AA8F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org/
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
    Source: firefox.exe, 0000000E.00000003.1581856892.00000156A78F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1549121320.00000156AF816000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://blocked.cdn.mozilla.net/
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
    Source: firefox.exe, 00000010.00000002.2572513433.0000022D9C9E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2572373433.0000026FA91E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2576187425.000002329DD03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.drString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700
    Source: firefox.exe, 00000010.00000002.2572513433.0000022D9C9E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2572373433.0000026FA91E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2576187425.000002329DD03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.drString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700002.1&cta
    Source: firefox.exe, 0000000E.00000003.1567052083.00000156B3148000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mo
    Source: firefox.exe, 0000000E.00000003.1442899984.00000156B112F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1443420231.00000156B1133000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1189266
    Source: firefox.exe, 0000000E.00000003.1442899984.00000156B112F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1443805259.00000156B113A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1443420231.00000156B1133000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1193802
    Source: firefox.exe, 0000000E.00000003.1443420231.00000156B1133000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1283601
    Source: firefox.exe, 0000000E.00000003.1442899984.00000156B112F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1443805259.00000156B113A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1443420231.00000156B1133000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1678448
    Source: firefox.exe, 0000000E.00000003.1530718851.00000156A8D8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1694699#c21
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
    Source: firefox.exe, 0000000E.00000003.1376372239.00000156A6F20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376999532.00000156A6F7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376545699.00000156A6F3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376196675.00000156A6D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376707963.00000156A6F5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://completion.amazon.com/search/complete?q=
    Source: firefox.exe, 0000000E.00000003.1561324508.00000156AFAD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1414308427.00000156AFAD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://content.cdn.mozilla.net
    Source: firefox.exe, 00000010.00000002.2572513433.0000022D9C9E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2572373433.0000026FA91E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2576187425.000002329DD03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.drString found in binary or memory: https://contile-images.services.mozilla.com/5b4DH7KHAf2n_mNaLjNi1-UAoKmM9rhqaA9w7FyznHo.10943.jpg
    Source: firefox.exe, 00000010.00000002.2572513433.0000022D9C9E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2572373433.0000026FA91E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2576187425.000002329DD03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
    Source: firefox.exe, 0000000E.00000003.1554789510.00000156AF8C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1535894217.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile.services.mozilla.com
    Source: firefox.exe, 0000000E.00000003.1535894217.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile.services.mozilla.com/
    Source: firefox.exe, 0000000E.00000003.1568576227.00000156AF8A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://contile.services.mozilla.com/v1/tiles
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://coverage.mozilla.org
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://crash-stats.mozilla.org/report/index/
    Source: firefox.exe, 0000000E.00000003.1507977664.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1408887212.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1407600479.00000156AF668000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/993268
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://dap-02.api.divviup.org
    Source: firefox.exe, 0000000E.00000003.1552024445.00000156AF83C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc
    Source: firefox.exe, 0000000E.00000003.1552024445.00000156AF83C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577226926.00000156AF845000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture
    Source: firefox.exe, 0000000E.00000003.1552024445.00000156AF83C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureElementReleaseCaptureWarning
    Source: firefox.exe, 0000000E.00000003.1577226926.00000156AF845000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#EncryptionPreventDefaultFromP
    Source: firefox.exe, 0000000E.00000003.1577226926.00000156AF82E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored
    Source: firefox.exe, 0000000E.00000003.1430935493.00000156A8B8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIEffectiveTLDServi
    Source: firefox.exe, 0000000E.00000003.1507977664.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1408887212.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1407600479.00000156AF668000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/ElementCSSInlineStyle/style#setting_styles)
    Source: firefox.exe, 0000000E.00000003.1507977664.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1408887212.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1407600479.00000156AF668000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for-await...of
    Source: firefox.exe, 0000000E.00000003.1507977664.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1408887212.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1407600479.00000156AF668000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
    Source: firefox.exe, 0000000E.00000003.1540763963.00000156AFB9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1581338673.00000156A795A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1432799925.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1436953388.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1437892898.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376372239.00000156A6F20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376999532.00000156A6F7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1434054106.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376545699.00000156A6F3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1571003623.00000156A8C2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1436448919.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376196675.00000156A6D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1429749153.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376707963.00000156A6F5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1487850716.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1566331167.00000156A8C2D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1506100982.00000156A8E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/
    Source: firefox.exe, 0000000E.00000003.1588957579.00000156A6B39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1378157875.00000156A6B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1378786026.00000156A6B23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1490946586.00000156A6B2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1379235594.00000156A6B33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
    Source: firefox.exe, 0000000E.00000003.1588957579.00000156A6B39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1378157875.00000156A6B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1378786026.00000156A6B23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1490946586.00000156A6B2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1379235594.00000156A6B33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
    Source: firefox.exe, 0000000E.00000003.1577226926.00000156AF845000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/
    Source: firefox.exe, 0000000E.00000003.1555482241.00000156AA608000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1569078140.00000156AF52A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2572373433.0000026FA9112000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2572567940.000002329DB13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
    Source: firefox.exe, 0000000E.00000003.1418194111.00000156A762C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/673d2808-e5d8-41b9-957
    Source: firefox.exe, 0000000E.00000003.1418194111.00000156A762C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419432793.00000156A763F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
    Source: firefox.exe, 0000000E.00000003.1558461375.00000156A915C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1559343506.00000156B3165000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox.settings.services.mozilla.com
    Source: firefox.exe, 0000000E.00000003.1566331167.00000156A8C4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox.settings.services.mozilla.com/
    Source: firefox.exe, 0000000E.00000003.1559211972.00000156B31D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
    Source: firefox.exe, 0000000E.00000003.1555482241.00000156AA608000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1569078140.00000156AF52A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2572373433.0000026FA9112000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2572567940.000002329DB13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.cdn.mozilla.net/
    Source: firefox.exe, 00000014.00000002.2572567940.000002329DBC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
    Source: firefox.exe, 00000014.00000002.2572567940.000002329DBC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
    Source: firefox.exe, 0000000E.00000003.1569078140.00000156AF52A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2572373433.0000026FA912F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2572567940.000002329DB30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
    Source: firefox.exe, 0000000E.00000003.1554871059.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1535894217.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568576227.00000156AF8A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtabL
    Source: firefox.exe, 0000000E.00000003.1554871059.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1535894217.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568576227.00000156AF8A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtabC
    Source: firefox.exe, 0000000E.00000003.1554871059.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1535894217.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568576227.00000156AF8A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtabA
    Source: firefox.exe, 0000000E.00000003.1554871059.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1535894217.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568576227.00000156AF8A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtabE
    Source: firefox.exe, 0000000E.00000003.1554871059.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1535894217.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568576227.00000156AF8A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtabG
    Source: firefox.exe, 0000000E.00000003.1554871059.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1535894217.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568576227.00000156AF8A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab?
    Source: firefox.exe, 0000000E.00000003.1554871059.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1535894217.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568576227.00000156AF8A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtabN
    Source: firefox.exe, 00000014.00000002.2572567940.000002329DBC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
    Source: firefox.exe, 0000000E.00000003.1569078140.00000156AF52A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabL
    Source: firefox.exe, 0000000E.00000003.1554871059.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1535894217.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568576227.00000156AF8A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtabI
    Source: firefox.exe, 0000000E.00000003.1535894217.00000156AF85F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
    Source: firefox.exe, 0000000E.00000003.1554871059.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1535894217.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568576227.00000156AF8A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more/
    Source: firefox.exe, 00000014.00000002.2572567940.000002329DBC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/recommendations
    Source: firefox.exe, 0000000E.00000003.1569078140.00000156AF52A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/recommendationsS
    Source: firefox.exe, 0000000E.00000003.1569078140.00000156AF52A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/recommendationsS7
    Source: firefox.exe, 0000000E.00000003.1569078140.00000156AF52A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
    Source: firefox.exe, 0000000E.00000003.1507977664.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1408887212.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1407600479.00000156AF668000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/closure-compiler/issues/3177
    Source: firefox.exe, 0000000E.00000003.1408098344.00000156AF923000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1408180897.00000156AF963000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
    Source: firefox.exe, 0000000E.00000003.1408098344.00000156AF923000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1408180897.00000156AF963000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
    Source: firefox.exe, 0000000E.00000003.1507977664.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1408887212.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1407600479.00000156AF668000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/lit/lit/issues/1266
    Source: firefox.exe, 0000000E.00000003.1507977664.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1408887212.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1407600479.00000156AF668000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/microsoft/TypeScript/issues/338).
    Source: firefox.exe, 0000000E.00000003.1376372239.00000156A6F20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376999532.00000156A6F7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376545699.00000156A6F3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376196675.00000156A6D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376707963.00000156A6F5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mozilla-services/screenshots
    Source: firefox.exe, 0000000E.00000003.1569078140.00000156AF52A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/zertosh/loose-envify)
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
    Source: firefox.exe, 0000000E.00000003.1527694786.00000156B2285000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1533353067.00000156B22BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1498780985.00000156A83A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1542005885.00000156A8EBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1530263920.00000156A8EBC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1511310180.00000156A83A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1527546229.00000156B22BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ib.absa.co.za/
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://ideas.mozilla.org/
    Source: firefox.exe, 0000000E.00000003.1582477245.00000156A787E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://identity.mozilla.com/apps/oldsyncS
    Source: firefox.exe, 0000000E.00000003.1567631992.00000156B2244000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1527929114.00000156B223A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1533511216.00000156B223A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://identity.mozilla.com/apps/relay
    Source: firefox.exe, 0000000E.00000003.1582477245.00000156A787E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://identity.mozilla.com/cmd/H
    Source: firefox.exe, 0000000E.00000003.1582477245.00000156A787E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://identity.mozilla.com/cmd/HCX
    Source: firefox.exe, 0000000E.00000003.1582477245.00000156A787E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://identity.mozilla.com/ids/ecosystem_telemetryU
    Source: firefox.exe, 0000000E.00000003.1582477245.00000156A787E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://identity.mozilla.com/ids/ecosystem_telemetryUFj
    Source: firefox.exe, 0000000E.00000003.1555024533.00000156AF880000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1535894217.00000156AF874000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://img-getpocket.cdn.mozilla.net/X
    Source: prefs-1.js.14.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqrfQHr4pbW4ZbWfpbY7ReNxR3UIG8zInwYIFIVs9eYi
    Source: firefox.exe, 0000000E.00000003.1566331167.00000156A8C4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1567052083.00000156B3148000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org
    Source: firefox.exe, 00000014.00000002.2572567940.000002329DBF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit
    Source: firefox.exe, 0000000E.00000003.1532965897.00000156B318B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-desktop/events/1/49b8c077-568d-45d1-b52a-e591a
    Source: firefox.exe, 0000000E.00000003.1581856892.00000156A78F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-desktop/messaging-system/1/ffc7ad80-9f7b-42ff-
    Source: firefox.exe, 0000000E.00000003.1532557633.00000156B376B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-desktop/metrics/1/2ea618e0-cf8c-42eb-bd65-00f6
    Source: firefox.exe, 0000000E.00000003.1527929114.00000156B223A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1533511216.00000156B223A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1560045366.00000156B2253000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit/messaging-system/undesired-events/1/50962f2d-4506-49f0
    Source: firefox.exe, 0000000E.00000003.1581856892.00000156A78F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1527929114.00000156B223A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1533511216.00000156B223A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1560045366.00000156B2253000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit/messaging-system/undesired-events/1/87917974-cbd9-4c5c
    Source: firefox.exe, 0000000E.00000003.1569078140.00000156AF52A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submits
    Source: firefox.exe, 0000000E.00000003.1507977664.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1408887212.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1407600479.00000156AF668000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://install.mozilla.org
    Source: firefox.exe, 0000000E.00000003.1534994192.00000156AFAD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1561324508.00000156AFAD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1414308427.00000156AFAD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2019-09/schema
    Source: firefox.exe, 0000000E.00000003.1507977664.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1408887212.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1407600479.00000156AF668000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lit.dev/docs/libraries/standalone-templates/#rendering-lit-html-templates
    Source: firefox.exe, 0000000E.00000003.1507977664.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1408887212.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1407600479.00000156AF668000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lit.dev/docs/templates/directives/#stylemap
    Source: firefox.exe, 0000000E.00000003.1507977664.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1408887212.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1407600479.00000156AF668000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lit.dev/docs/templates/expressions/#child-expressions)
    Source: firefox.exe, 0000000E.00000003.1580652692.00000156A79AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://location.services.mozilla.com
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
    Source: firefox.exe, 0000000E.00000003.1573832856.00000156A8749000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568795949.00000156AF5B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
    Source: firefox.exe, 0000000E.00000003.1516978191.00000156A8BB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.li
    Source: firefox.exe, 0000000E.00000003.1538535143.00000156AA559000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534994192.00000156AFAEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1561324508.00000156AFAEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1552632724.00000156AA559000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
    Source: firefox.exe, 0000000E.00000003.1538535143.00000156AA559000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1552632724.00000156AA559000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com
    Source: firefox.exe, 0000000E.00000003.1588957579.00000156A6B39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1378157875.00000156A6B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1378786026.00000156A6B23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1490946586.00000156A6B2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1379235594.00000156A6B33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
    Source: firefox.exe, 0000000E.00000003.1588957579.00000156A6B39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1378157875.00000156A6B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1378786026.00000156A6B23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1490946586.00000156A6B2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1379235594.00000156A6B33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.inbox.lv/compose?to=%s
    Source: firefox.exe, 0000000E.00000003.1588957579.00000156A6B39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1378157875.00000156A6B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1378786026.00000156A6B23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1490946586.00000156A6B2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1379235594.00000156A6B33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
    Source: firefox.exe, 00000012.00000002.2572373433.0000026FA9186000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2572567940.000002329DB8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
    Source: firefox.exe, 00000010.00000002.2572513433.0000022D9C972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://merino.services.mozilla.com/api/v1/suggestabout
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://mitmdetection.services.mozilla.com/
    Source: firefox.exe, 0000000E.00000003.1438696139.00000156A8EDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mochitest.youtube.com/
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/about
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/breach-details/
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/user/dashboard
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/user/preferences
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
    Source: firefox.exe, 0000000E.00000003.1540490569.00000156A48FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mozilla.org0/
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://oauth.accounts.firefox.com/v1
    Source: firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ok.ru/
    Source: firefox.exe, 0000000E.00000003.1588957579.00000156A6B39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1378157875.00000156A6B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1378786026.00000156A6B23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1490946586.00000156A6B2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1379235594.00000156A6B33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
    Source: firefox.exe, 0000000E.00000003.1433542927.00000156A8EDA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1438696139.00000156A8EDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.hbomax.com/page/
    Source: firefox.exe, 0000000E.00000003.1433542927.00000156A8EDA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1438696139.00000156A8EDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.hbomax.com/player/
    Source: firefox.exe, 0000000E.00000003.1588957579.00000156A6B39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1378157875.00000156A6B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1378786026.00000156A6B23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1490946586.00000156A6B2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1379235594.00000156A6B33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://profile.accounts.firefox.com/v1
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://profiler.firefox.com
    Source: firefox.exe, 0000000E.00000003.1552632724.00000156AA57D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1538535143.00000156AA57D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://push.services.mozilla.com
    Source: firefox.exe, 0000000E.00000003.1569078140.00000156AF52A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://relay.firefox.com/api/v1/
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
    Source: firefox.exe, 0000000E.00000003.1572293538.00000156A88BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
    Source: firefox.exe, 0000000E.00000003.1376707963.00000156A6F5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://screenshots.firefox.com/
    Source: firefox.exe, 0000000E.00000003.1430935493.00000156A8B8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
    Source: firefox.exe, 0000000E.00000003.1565171520.00000156A8F2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
    Source: firefox.exe, 0000000E.00000003.1572821179.00000156A883D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shavar.services.mozilla.com
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
    Source: firefox.exe, 0000000E.00000003.1547727687.00000156AFBAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
    Source: firefox.exe, 0000000E.00000003.1575697642.00000156A8427000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://smartblock.firefox.etp/facebook.svg
    Source: firefox.exe, 0000000E.00000003.1575697642.00000156A8427000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://smartblock.firefox.etp/play.svg
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
    Source: firefox.exe, 0000000E.00000003.1562063149.00000156AFA27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com
    Source: firefox.exe, 0000000E.00000003.1580652692.00000156A79AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1569078140.00000156AF52A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2572373433.0000026FA9112000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2572567940.000002329DB13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com/
    Source: firefox.exe, 0000000E.00000003.1414308427.00000156AFAD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com/spocs
    Source: firefox.exe, 0000000E.00000003.1554871059.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1535894217.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568576227.00000156AF8A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com/spocs#
    Source: firefox.exe, 0000000E.00000003.1554871059.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1535894217.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568576227.00000156AF8A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com/spocs#l
    Source: firefox.exe, 0000000E.00000003.1555793671.00000156AA524000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1569078140.00000156AF52A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2572373433.0000026FA91C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2572567940.000002329DBF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com/user
    Source: firefox.exe, 00000014.00000002.2572567940.000002329DBF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com/user/
    Source: firefox.exe, 0000000E.00000003.1564739004.00000156A8F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
    Source: firefox.exe, 0000000E.00000003.1564739004.00000156A8F51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1575697642.00000156A8427000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
    Source: firefox.exe, 0000000E.00000003.1540763963.00000156AFBB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1553903801.00000156AFBB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1547727687.00000156AFBB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
    Source: firefox.exe, 0000000E.00000003.1418194111.00000156A762C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
    Source: firefox.exe, 0000000E.00000003.1563800060.00000156A97AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534233569.00000156AFBAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1554134685.00000156AFBAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1566232872.00000156A8C5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1547727687.00000156AFBAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
    Source: firefox.exe, 0000000E.00000003.1528120988.00000156B2221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/firefox-relay-integration
    Source: firefox.exe, 0000000E.00000003.1581856892.00000156A78F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1527929114.00000156B223A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564475047.00000156A8FDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1533511216.00000156B223A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1575697642.00000156A8427000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1560045366.00000156B2253000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/captive-portal
    Source: firefox.exe, 0000000E.00000003.1572136257.00000156A88DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1571452056.00000156A89FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
    Source: firefox.exe, 0000000E.00000003.1552024445.00000156AF849000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577226926.00000156AF849000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsMediaPlatformDecoderNotFound
    Source: firefox.exe, 0000000E.00000003.1552024445.00000156AF849000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577226926.00000156AF849000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsMediaWMFNeeded
    Source: firefox.exe, 0000000E.00000003.1498313385.00000156B1805000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
    Source: firefox.exe, 0000000E.00000003.1569982961.00000156AF48F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551428259.00000156AF45D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2
    Source: firefox.exe, 0000000E.00000003.1571452056.00000156A89FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefox
    Source: firefox.exe, 0000000E.00000003.1572136257.00000156A88DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.njy8xaI_aUJp
    Source: firefox.exe, 0000000E.00000003.1507977664.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1408887212.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1407600479.00000156AF668000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tc39.github.io/ecma262/#sec-typeof-operator
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
    Source: firefox.exe, 0000000E.00000003.1552024445.00000156AF83C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577226926.00000156AF845000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
    Source: firefox.exe, 0000000E.00000003.1552024445.00000156AF83C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1552024445.00000156AF849000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577226926.00000156AF845000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577226926.00000156AF849000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
    Source: firefox.exe, 0000000E.00000003.1552024445.00000156AF83C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1552024445.00000156AF849000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577226926.00000156AF849000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
    Source: firefox.exe, 0000000E.00000003.1577226926.00000156AF849000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://topsites.services.mozilla.com/cid/
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
    Source: firefox.exe, 0000000E.00000003.1535894217.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1540763963.00000156AFB32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
    Source: firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vk.com/
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
    Source: firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
    Source: firefox.exe, 0000000E.00000003.1580652692.00000156A79AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://watch.sling.com/
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://webcompat.com/issues/new
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
    Source: firefox.exe, 0000000E.00000003.1569078140.00000156AF52A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://webpack.js.org/concepts/mode/)
    Source: firefox.exe, 0000000E.00000003.1551037983.00000156AF5A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1561280442.00000156AFB0F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568795949.00000156AF5A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1538297561.00000156AF5A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://weibo.com/
    Source: firefox.exe, 0000000E.00000003.1507977664.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1408887212.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1407600479.00000156AF668000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wicg.github.io/construct-stylesheets/#using-constructed-stylesheets).
    Source: firefox.exe, 0000000E.00000003.1561280442.00000156AFB0F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.aliexpress.com/
    Source: firefox.exe, 0000000E.00000003.1561280442.00000156AFB0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.ca/
    Source: firefox.exe, 0000000E.00000003.1561280442.00000156AFB0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.co.uk/
    Source: firefox.exe, 0000000E.00000003.1535894217.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1540763963.00000156AFB32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/
    Source: firefox.exe, 00000010.00000002.2572513433.0000022D9C9E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2572373433.0000026FA91E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2576187425.000002329DD03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15e498ec2b39921665a1fbc954bff40a8106629178eadc64
    Source: firefox.exe, 0000000E.00000003.1432799925.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1436953388.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1437892898.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376372239.00000156A6F20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376999532.00000156A6F7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1434054106.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376545699.00000156A6F3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1436448919.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376196675.00000156A6D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1571003623.00000156A8C3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1429749153.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376707963.00000156A6F5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1487850716.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1506100982.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1566331167.00000156A8C3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
    Source: firefox.exe, 0000000E.00000003.1561280442.00000156AFB0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.de/
    Source: firefox.exe, 0000000E.00000003.1561280442.00000156AFB0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.fr/
    Source: firefox.exe, 0000000E.00000003.1561280442.00000156AFB0F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.avito.ru/
    Source: firefox.exe, 0000000E.00000003.1547727687.00000156AFB28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534233569.00000156AFB32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568292454.00000156AFB28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1412485340.00000156AFB2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1540763963.00000156AFB32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.baidu.com/
    Source: firefox.exe, 0000000E.00000003.1561280442.00000156AFB0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bbc.co.uk/
    Source: firefox.exe, 0000000E.00000003.1547727687.00000156AFB28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534233569.00000156AFB32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568292454.00000156AFB28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1412485340.00000156AFB2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1540763963.00000156AFB32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ctrip.com/
    Source: firefox.exe, 0000000E.00000003.1540490569.00000156A48FB000.00000004.00000020.00020000.00000000.sdmp, gmpopenh264.dll.tmp.14.drString found in binary or memory: https://www.digicert.com/CPS0
    Source: firefox.exe, 0000000E.00000003.1547727687.00000156AFB28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534233569.00000156AFB32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568292454.00000156AFB28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1412485340.00000156AFB2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1540763963.00000156AFB32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ebay.co.uk/
    Source: firefox.exe, 0000000E.00000003.1561280442.00000156AFB0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ebay.de/
    Source: firefox.exe, 0000000E.00000003.1534233569.00000156AFB94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568292454.00000156AFB28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1412485340.00000156AFB2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1540763963.00000156AFB32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
    Source: firefox.exe, 0000000E.00000003.1408549849.00000156AF6D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1408425595.00000156AF6C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1407399380.00000156AF646000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/complete/search
    Source: firefox.exe, 0000000E.00000003.1376372239.00000156A6F20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376999532.00000156A6F7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376545699.00000156A6F3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376196675.00000156A6D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376707963.00000156A6F5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
    Source: firefox.exe, 0000000E.00000003.1534878442.00000156AFB28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1429749153.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376707963.00000156A6F5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1487850716.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1506100982.00000156A8E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
    Source: firefox.exe, 0000000E.00000003.1433542927.00000156A8EDA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1438696139.00000156A8EDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hulu.com/watch/
    Source: firefox.exe, 0000000E.00000003.1561280442.00000156AFB0F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ifeng.com/
    Source: firefox.exe, 0000000E.00000003.1433542927.00000156A8EDA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1438696139.00000156A8EDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.instagram.com/
    Source: firefox.exe, 0000000E.00000003.1561280442.00000156AFB0F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.iqiyi.com/
    Source: firefox.exe, 0000000E.00000003.1561280442.00000156AFB0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.leboncoin.fr/
    Source: firefox.exe, 00000010.00000002.2572513433.0000022D9C9E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2572373433.0000026FA91E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2576187425.000002329DD03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.drString found in binary or memory: https://www.marriott.com/default.mi?utm_source=admarketplace&utm_medium=cpc&utm_campaign=Marriott_Pr
    Source: firefox.exe, 0000000E.00000003.1560422381.00000156AFB94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1547727687.00000156AFB94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1549199918.00000156AF7A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1540763963.00000156AFB98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1538142560.00000156AF5B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551037983.00000156AF5B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1540763963.00000156AFBB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1553903801.00000156AFBB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534233569.00000156AFB94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1547727687.00000156AFBB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568795949.00000156AF5B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
    Source: firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
    Source: firefox.exe, 0000000E.00000003.1571452056.00000156A89FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
    Source: firefox.exe, 0000000E.00000003.1572136257.00000156A88DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.d-GHL1OW1fkT
    Source: firefox.exe, 0000000E.00000003.1418194111.00000156A762C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419432793.00000156A763F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
    Source: firefox.exe, 0000000E.00000003.1532965897.00000156B3146000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1559343506.00000156B3165000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/anything/?
    Source: firefox.exe, 0000000E.00000003.1571452056.00000156A89FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
    Source: firefox.exe, 0000000E.00000003.1572136257.00000156A88DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.sYEKgG4Or0s6
    Source: firefox.exe, 0000000E.00000003.1528120988.00000156B2221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/about/legal/terms/subscription-services/
    Source: firefox.exe, 0000000E.00000003.1532766525.00000156B371A000.00000004.00000800.00020000.00000000.sdmp, targeting.snapshot.json.tmp.14.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
    Source: firefox.exe, 0000000E.00000003.1582135528.00000156A78C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1572136257.00000156A88DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
    Source: firefox.exe, 0000000E.00000003.1528120988.00000156B2221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/subscription-services/
    Source: firefox.exe, 0000000E.00000003.1578634213.00000156A8828000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/
    Source: firefox.exe, 0000000E.00000003.1572136257.00000156A88DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1571452056.00000156A89FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
    Source: firefox.exe, 0000000E.00000003.1559343506.00000156B318B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1532965897.00000156B318B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/mobile/get-app/?utm_medium=firefox-desktop&utm_source=onboarding-mod
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
    Source: firefox.exe, 00000010.00000002.2572513433.0000022D9C9C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2572373433.0000026FA91CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2572567940.000002329DBF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
    Source: firefox.exe, 0000000E.00000003.1554871059.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1535894217.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568576227.00000156AF8A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-contentP
    Source: firefox.exe, 00000014.00000002.2572567940.000002329DBF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/:
    Source: firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
    Source: firefox.exe, 0000000E.00000003.1554871059.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1535894217.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568576227.00000156AF8A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/V
    Source: firefox.exe, 0000000E.00000003.1582135528.00000156A78C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1572136257.00000156A88DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
    Source: firefox.exe, 0000000E.00000003.1552632724.00000156AA575000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com
    Source: firefox.exe, 0000000E.00000003.1551037983.00000156AF5A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1561280442.00000156AFB0F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568795949.00000156AF5A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1538297561.00000156AF5A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.olx.pl/
    Source: firefox.exe, 0000000E.00000003.1535894217.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.reddit.com/
    Source: firefox.exe, 0000000E.00000003.1580652692.00000156A79AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sling.com/
    Source: firefox.exe, 0000000E.00000003.1561280442.00000156AFB0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.wykop.pl/
    Source: firefox.exe, 0000000E.00000003.1535894217.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1540763963.00000156AFB32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2572373433.0000026FA910A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2572567940.000002329DB0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
    Source: firefox.exe, 0000000E.00000003.1551037983.00000156AF5A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568795949.00000156AF5A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1538297561.00000156AF5A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.zhihu.com/
    Source: firefox.exe, 0000000E.00000003.1552024445.00000156AF849000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577226926.00000156AF849000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://xhr.spec.whatwg.org/#sync-warning
    Source: firefox.exe, 0000000E.00000003.1557801487.00000156A96BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://youtube.com
    Source: firefox.exe, 0000000E.00000003.1551428259.00000156AF45D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/
    Source: recovery.jsonlz4.tmp.14.drString found in binary or memory: https://youtube.com/account?=
    Source: firefox.exe, 00000012.00000002.2570057133.0000026FA8DC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/chal
    Source: firefox.exe, 00000014.00000002.2571182669.000002329D840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/chalc
    Source: firefox.exe, 0000000E.00000003.1540763963.00000156AFB32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2570614083.0000022D9C60A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2571132989.0000022D9C774000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2570543184.0000026FA8E10000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2570057133.0000026FA8DC4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2570543184.0000026FA8E1A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2571182669.000002329D844000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2570308438.000002329D7BA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2570308438.000002329D7B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
    Source: firefox.exe, 00000010.00000002.2570614083.0000022D9C600000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd$?
    Source: firefox.exe, 0000000C.00000002.1359940229.0000021C6DD17000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000002.1372122348.00000221CA229000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
    Source: firefox.exe, 00000010.00000002.2570614083.0000022D9C60A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd0?
    Source: firefox.exe, 0000000E.00000003.1585014512.00000156A48FB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1586336170.00000156A48FB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1583841867.00000156A495B000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584061487.00000156A48FE000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2570614083.0000022D9C600000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2571132989.0000022D9C774000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2570543184.0000026FA8E10000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2570057133.0000026FA8DC4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2571182669.000002329D844000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2570308438.000002329D7B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RE
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
    Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49833 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
    Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
    Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
    Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49887
    Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49908 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49833
    Source: unknownNetwork traffic detected: HTTP traffic on port 49887 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
    Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
    Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49987 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49908
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49907
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
    Source: unknownNetwork traffic detected: HTTP traffic on port 49907 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49987
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.10:49738 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.10:49742 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.10:49770 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.10:49785 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.10:49784 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.10:49823 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.10:49824 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.10:49826 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.10:49832 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.10:49834 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.10:49833 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.10:49835 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.10:49837 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.10:49907 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.10:49908 version: TLS 1.2
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C2EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00C2EAFF
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C2ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00C2ED6A
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C2EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00C2EAFF
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C1AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00C1AA57
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C49576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00C49576

    System Summary

    barindex
    Binary is likely a compiled AutoIt script file
    Source: P0HV8mjHS1.exeString found in binary or memory: This is a third-party compiled AutoIt script.
    Source: P0HV8mjHS1.exe, 00000000.00000000.1316976235.0000000000C72000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_3e073643-0
    Source: P0HV8mjHS1.exe, 00000000.00000000.1316976235.0000000000C72000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_dd868981-d
    Source: P0HV8mjHS1.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_ce50e57b-3
    Source: P0HV8mjHS1.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_54b8d6cc-1
    Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 18_2_0000026FA8FD6B77 NtQuerySystemInformation,18_2_0000026FA8FD6B77
    Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 18_2_0000026FA8FF95B2 NtQuerySystemInformation,18_2_0000026FA8FF95B2
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C1D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00C1D5EB
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C11201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00C11201
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C1E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00C1E8F6
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BBBF400_2_00BBBF40
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C220460_2_00C22046
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BB80600_2_00BB8060
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C182980_2_00C18298
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BEE4FF0_2_00BEE4FF
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BE676B0_2_00BE676B
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C448730_2_00C44873
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BDCAA00_2_00BDCAA0
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BBCAF00_2_00BBCAF0
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BCCC390_2_00BCCC39
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BE6DD90_2_00BE6DD9
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BB91C00_2_00BB91C0
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BCB1190_2_00BCB119
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BD13940_2_00BD1394
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BD17060_2_00BD1706
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BD781B0_2_00BD781B
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BD19B00_2_00BD19B0
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BB79200_2_00BB7920
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BC997D0_2_00BC997D
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BD7A4A0_2_00BD7A4A
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BD7CA70_2_00BD7CA7
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BD1C770_2_00BD1C77
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BE9EEE0_2_00BE9EEE
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C3BE440_2_00C3BE44
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BD1F320_2_00BD1F32
    Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 18_2_0000026FA8FD6B7718_2_0000026FA8FD6B77
    Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 18_2_0000026FA8FF95B218_2_0000026FA8FF95B2
    Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 18_2_0000026FA8FF9CDC18_2_0000026FA8FF9CDC
    Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 18_2_0000026FA8FF95F218_2_0000026FA8FF95F2
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: String function: 00BD0A30 appears 46 times
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: String function: 00BCF9F2 appears 40 times
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: String function: 00BB9CB3 appears 31 times
    Source: P0HV8mjHS1.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: classification engineClassification label: mal80.troj.evad.winEXE@34/34@67/12
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C237B5 GetLastError,FormatMessageW,0_2_00C237B5
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C110BF AdjustTokenPrivileges,CloseHandle,0_2_00C110BF
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C116C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00C116C3
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C251CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00C251CD
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C1D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00C1D4DC
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C2648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00C2648E
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BB42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00BB42A2
    Source: C:\Program Files\Mozilla Firefox\firefox.exeFile created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246Jump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7416:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1436:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6712:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6004:120:WilError_03
    Source: C:\Program Files\Mozilla Firefox\firefox.exeFile created: C:\Users\user\AppData\Local\Temp\firefoxJump to behavior
    Source: P0HV8mjHS1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: firefox.exe, 0000000E.00000003.1571452056.00000156A89D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1582422082.00000156A7891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
    Source: firefox.exe, 0000000E.00000003.1582422082.00000156A7891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
    Source: firefox.exe, 0000000E.00000003.1582422082.00000156A7891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
    Source: firefox.exe, 0000000E.00000003.1582422082.00000156A7891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
    Source: firefox.exe, 0000000E.00000003.1580652692.00000156A79AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT sum(count) FROM events;
    Source: firefox.exe, 0000000E.00000003.1582422082.00000156A7891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
    Source: firefox.exe, 0000000E.00000003.1582422082.00000156A7891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
    Source: firefox.exe, 0000000E.00000003.1582422082.00000156A7891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT sum(count) FROM events;9'
    Source: firefox.exe, 0000000E.00000003.1582422082.00000156A7891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT sum(count) FROM events;9
    Source: firefox.exe, 0000000E.00000003.1582422082.00000156A7891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);
    Source: P0HV8mjHS1.exeReversingLabs: Detection: 47%
    Source: unknownProcess created: C:\Users\user\Desktop\P0HV8mjHS1.exe "C:\Users\user\Desktop\P0HV8mjHS1.exe"
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
    Source: unknownProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2276 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2172 -prefsLen 25358 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ad7f508-ae10-4797-94a8-42f485d40445} 7332 "\\.\pipe\gecko-crash-server-pipe.7332" 1569726f510 socket
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3676 -parentBuildID 20230927232528 -prefsHandle 3720 -prefMapHandle 4092 -prefsLen 26373 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7f145a7-2cf0-440e-8897-25c02c759692} 7332 "\\.\pipe\gecko-crash-server-pipe.7332" 156a956c510 rdd
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5096 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4832 -prefMapHandle 5108 -prefsLen 33184 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cea3218c-8734-46eb-8bf4-f4aef17ce0d4} 7332 "\\.\pipe\gecko-crash-server-pipe.7332" 156af813b10 utility
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /TJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /TJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /TJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /TJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /TJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blockingJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blockingJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2276 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2172 -prefsLen 25358 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ad7f508-ae10-4797-94a8-42f485d40445} 7332 "\\.\pipe\gecko-crash-server-pipe.7332" 1569726f510 socketJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3676 -parentBuildID 20230927232528 -prefsHandle 3720 -prefMapHandle 4092 -prefsLen 26373 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7f145a7-2cf0-440e-8897-25c02c759692} 7332 "\\.\pipe\gecko-crash-server-pipe.7332" 156a956c510 rddJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5096 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4832 -prefMapHandle 5108 -prefsLen 33184 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cea3218c-8734-46eb-8bf4-f4aef17ce0d4} 7332 "\\.\pipe\gecko-crash-server-pipe.7332" 156af813b10 utilityJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: wsock32.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: P0HV8mjHS1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: P0HV8mjHS1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: P0HV8mjHS1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: P0HV8mjHS1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: P0HV8mjHS1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: P0HV8mjHS1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: P0HV8mjHS1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: UxTheme.pdb source: firefox.exe, 0000000E.00000003.1558461375.00000156A9149000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: rsaenh.pdb source: firefox.exe, 0000000E.00000003.1562470132.00000156AA8A7000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: wininet.pdb source: firefox.exe, 0000000E.00000003.1555793671.00000156AA512000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: UMPDC.pdb source: firefox.exe, 0000000E.00000003.1555996830.00000156A9BC2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: userenv.pdb@ source: firefox.exe, 0000000E.00000003.1563932432.00000156A96BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557801487.00000156A96BA000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb source: firefox.exe, 0000000E.00000003.1557801487.00000156A96AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564017930.00000156A96AC000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdb source: firefox.exe, 0000000E.00000003.1558930582.00000156A8FF2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: rpcrt4.pdb source: firefox.exe, 0000000E.00000003.1558930582.00000156A8FF2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.1564103988.00000156A9689000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557995398.00000156A967A000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: WscApi.pdb source: firefox.exe, 0000000E.00000003.1563181985.00000156A97D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1556928342.00000156A9B2D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557015355.00000156A97D2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: ktmw32.pdb source: firefox.exe, 0000000E.00000003.1558058028.00000156A955A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1558058028.00000156A9566000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.1570568985.00000156A966C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1587931229.00000156A4968000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: freebl3.pdbP4 source: firefox.exe, 0000000E.00000003.1555996830.00000156A9BF0000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.1570568985.00000156A966C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1585579606.00000156A4968000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb source: firefox.exe, 0000000E.00000003.1558930582.00000156A8FF2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 0000000E.00000003.1581856892.00000156A78F7000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.1546731436.00000156B2901000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: xul.pdb source: firefox.exe, 0000000E.00000003.1558058028.00000156A955A000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: nssckbi.pdb source: firefox.exe, 0000000E.00000003.1555793671.00000156AA512000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: shcore.pdb source: firefox.exe, 0000000E.00000003.1558461375.00000156A915C000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: mozglue.pdb source: firefox.exe, 0000000E.00000003.1558930582.00000156A8FF2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: dbgcore.pdbP4 source: firefox.exe, 0000000E.00000003.1570703714.00000156A9628000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: winnsi.pdb source: firefox.exe, 0000000E.00000003.1564103988.00000156A9689000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557995398.00000156A967A000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: dcomp.pdb source: firefox.exe, 0000000E.00000003.1563932432.00000156A96BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557801487.00000156A96BA000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: cryptsp.pdb source: firefox.exe, 0000000E.00000003.1562470132.00000156AA8A7000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb source: firefox.exe, 0000000E.00000003.1558461375.00000156A9149000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: sspicli.pdb source: firefox.exe, 0000000E.00000003.1555793671.00000156AA512000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1555482241.00000156AA608000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 0000000E.00000003.1581856892.00000156A78F7000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: 8taskschd.pdb source: firefox.exe, 0000000E.00000003.1582422082.00000156A7891000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: ntmarta.pdb source: firefox.exe, 0000000E.00000003.1558461375.00000156A9149000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb source: firefox.exe, 0000000E.00000003.1570568985.00000156A966C000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: urlmon.pdb source: firefox.exe, 0000000E.00000003.1556356300.00000156A9B98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1556356300.00000156A9B7B000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 0000000E.00000003.1581856892.00000156A78F7000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.1585579606.00000156A4968000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb source: firefox.exe, 0000000E.00000003.1564103988.00000156A9689000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557995398.00000156A967A000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: nlaapi.pdb source: firefox.exe, 0000000E.00000003.1564103988.00000156A9689000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557995398.00000156A967A000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: winhttp.pdb source: firefox.exe, 0000000E.00000003.1562470132.00000156AA8A7000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.1583620858.00000156B2901000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msimg32.pdb source: firefox.exe, 0000000E.00000003.1555996830.00000156A9BF0000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: firefox.exe, 0000000E.00000003.1580708780.00000156A7995000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: ntasn1.pdb source: firefox.exe, 0000000E.00000003.1555482241.00000156AA608000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1562849090.00000156AA6CE000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: devobj.pdb source: firefox.exe, 0000000E.00000003.1557801487.00000156A96AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564017930.00000156A96AC000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: win32u.pdb source: firefox.exe, 0000000E.00000003.1558930582.00000156A8FF2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: d3d11.pdb source: firefox.exe, 0000000E.00000003.1563181985.00000156A97D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557015355.00000156A97D2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.1583620858.00000156B2901000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dwmapi.pdb source: firefox.exe, 0000000E.00000003.1557801487.00000156A96AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564017930.00000156A96AC000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb@ source: firefox.exe, 0000000E.00000003.1570568985.00000156A966C000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb source: firefox.exe, 0000000E.00000003.1570703714.00000156A9628000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: srvcli.pdb source: firefox.exe, 0000000E.00000003.1556356300.00000156A9B98000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: wininet.pdbp, source: firefox.exe, 0000000E.00000003.1555793671.00000156AA512000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: imm32.pdb source: firefox.exe, 0000000E.00000003.1558461375.00000156A9149000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.1546731436.00000156B2901000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: freebl3.pdb source: firefox.exe, 0000000E.00000003.1555996830.00000156A9BC2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: gdi32.pdb source: firefox.exe, 0000000E.00000003.1558461375.00000156A9149000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1558930582.00000156A8FF2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: firefox.exe, 0000000E.00000003.1581856892.00000156A78F7000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb source: firefox.exe, 0000000E.00000003.1570568985.00000156A966C000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: avrt.pdb source: firefox.exe, 0000000E.00000003.1555482241.00000156AA608000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1562849090.00000156AA6CE000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: WLDP.pdb source: firefox.exe, 0000000E.00000003.1558461375.00000156A9149000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1558461375.00000156A915C000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: mswsock.pdb source: firefox.exe, 0000000E.00000003.1564103988.00000156A9689000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557995398.00000156A967A000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: sechost.pdb source: firefox.exe, 0000000E.00000003.1558930582.00000156A8FF2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: nsi.pdb source: firefox.exe, 0000000E.00000003.1564103988.00000156A9689000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557995398.00000156A967A000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
    Source: Binary string: winmm.pdb source: firefox.exe, 0000000E.00000003.1570568985.00000156A966C000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: winrnr.pdb source: firefox.exe, 0000000E.00000003.1564103988.00000156A9689000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557995398.00000156A967A000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: msctf.pdb source: firefox.exe, 0000000E.00000003.1557801487.00000156A96AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564017930.00000156A96AC000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 0000000E.00000003.1581856892.00000156A78F7000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: version.pdb source: firefox.exe, 0000000E.00000003.1570703714.00000156A9628000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: dbgcore.pdb source: firefox.exe, 0000000E.00000003.1570568985.00000156A966C000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: mscms.pdb source: firefox.exe, 0000000E.00000003.1563932432.00000156A96BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557801487.00000156A96BA000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: firefox.pdb^/gampad/.*xml_vmap1.*$ source: firefox.exe, 0000000E.00000003.1571003623.00000156A8C4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1566331167.00000156A8C4B000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: firefox.pdbp source: firefox.exe, 0000000E.00000003.1571003623.00000156A8C4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1566331167.00000156A8C4B000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: user32.pdb source: firefox.exe, 0000000E.00000003.1558930582.00000156A8FF2000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: userenv.pdb` source: firefox.exe, 0000000E.00000003.1563932432.00000156A96BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557801487.00000156A96BA000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: twinapi.pdb source: firefox.exe, 0000000E.00000003.1557801487.00000156A96AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564017930.00000156A96AC000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: msasn1.pdb source: firefox.exe, 0000000E.00000003.1570703714.00000156A9628000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
    Source: Binary string: psapi.pdb source: firefox.exe, 0000000E.00000003.1570703714.00000156A9628000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: DWrite.pdb source: firefox.exe, 0000000E.00000003.1570568985.00000156A966C000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: ntdll.pdb source: firefox.exe, 0000000E.00000003.1582135528.00000156A789F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564739004.00000156A8F51000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: combase.pdb source: firefox.exe, 0000000E.00000003.1558461375.00000156A9149000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: dxgi.pdb source: firefox.exe, 0000000E.00000003.1563932432.00000156A96BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557801487.00000156A96BA000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.1587931229.00000156A4968000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ncrypt.pdb source: firefox.exe, 0000000E.00000003.1555482241.00000156AA608000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: 8linkinfo.pdb source: firefox.exe, 0000000E.00000003.1582422082.00000156A7891000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: crypt32.pdb source: firefox.exe, 0000000E.00000003.1558930582.00000156A8FF2000.00000004.00000800.00020000.00000000.sdmp
    Source: P0HV8mjHS1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: P0HV8mjHS1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: P0HV8mjHS1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: P0HV8mjHS1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: P0HV8mjHS1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00BB42DE
    Source: gmpopenh264.dll.tmp.14.drStatic PE information: section name: .rodata
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BD0A76 push ecx; ret 0_2_00BD0A89
    Source: C:\Program Files\Mozilla Firefox\firefox.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)Jump to dropped file
    Source: C:\Program Files\Mozilla Firefox\firefox.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmpJump to dropped file
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BCF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00BCF98E
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C41C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00C41C41
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Found API chain indicative of sandbox detection
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-95717
    Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 18_2_0000026FA8FD6B77 rdtsc 18_2_0000026FA8FD6B77
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeAPI coverage: 3.8 %
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C1DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C1DBBE
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BEC2A2 FindFirstFileExW,0_2_00BEC2A2
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C268EE FindFirstFileW,FindClose,0_2_00C268EE
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C2698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00C2698F
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C1D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C1D076
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C1D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C1D3A9
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C29642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C29642
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C2979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C2979D
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C29B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00C29B2B
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C25C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00C25C97
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00BB42DE
    Source: firefox.exe, 00000010.00000002.2576853061.0000022D9CF40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4oX
    Source: firefox.exe, 00000010.00000002.2570614083.0000022D9C60A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
    Source: firefox.exe, 00000010.00000002.2570614083.0000022D9C60A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2570308438.000002329D7BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: firefox.exe, 00000010.00000002.2575901191.0000022D9CB19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
    Source: firefox.exe, 00000010.00000002.2576853061.0000022D9CF40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk`)
    Source: firefox.exe, 00000012.00000002.2575369259.0000026FA9740000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
    Source: firefox.exe, 00000012.00000002.2575369259.0000026FA9740000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW,
    Source: firefox.exe, 00000012.00000002.2575369259.0000026FA9740000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
    Source: firefox.exe, 00000012.00000002.2570543184.0000026FA8E1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
    Source: firefox.exe, 00000010.00000002.2576853061.0000022D9CF40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllLa0
    Source: P0HV8mjHS1.exe, 00000000.00000003.1409005572.0000000000E83000.00000004.00000020.00020000.00000000.sdmp, P0HV8mjHS1.exe, 00000000.00000003.1408743074.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, P0HV8mjHS1.exe, 00000000.00000003.1409790004.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, P0HV8mjHS1.exe, 00000000.00000002.1414637752.0000000000E91000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2576853061.0000022D9CF40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2575369259.0000026FA9740000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 18_2_0000026FA8FD6B77 rdtsc 18_2_0000026FA8FD6B77
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C2EAA2 BlockInput,0_2_00C2EAA2
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BE2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BE2622
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00BB42DE
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BD4CE8 mov eax, dword ptr fs:[00000030h]0_2_00BD4CE8
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C10B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00C10B62
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BE2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BE2622
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BD083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BD083F
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BD09D5 SetUnhandledExceptionFilter,0_2_00BD09D5
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BD0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00BD0C21
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C11201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00C11201
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BF2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00BF2BA5
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C1B226 SendInput,keybd_event,0_2_00C1B226
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C322DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00C322DA
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /TJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /TJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /TJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /TJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /TJump to behavior
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C10B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00C10B62
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C11663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00C11663
    Source: P0HV8mjHS1.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
    Source: P0HV8mjHS1.exeBinary or memory string: Shell_TrayWnd
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BD0698 cpuid 0_2_00BD0698
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C0D21C GetLocalTime,0_2_00C0D21C
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C0D27A GetUserNameW,0_2_00C0D27A
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BEB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00BEB952
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00BB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00BB42DE

    Stealing of Sensitive Information

    barindex
    Yara detected Credential Flusher
    Source: Yara matchFile source: Process Memory Space: P0HV8mjHS1.exe PID: 7604, type: MEMORYSTR
    Source: P0HV8mjHS1.exeBinary or memory string: WIN_81
    Source: P0HV8mjHS1.exeBinary or memory string: WIN_XP
    Source: P0HV8mjHS1.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
    Source: P0HV8mjHS1.exeBinary or memory string: WIN_XPe
    Source: P0HV8mjHS1.exeBinary or memory string: WIN_VISTA
    Source: P0HV8mjHS1.exeBinary or memory string: WIN_7
    Source: P0HV8mjHS1.exeBinary or memory string: WIN_8

    Remote Access Functionality

    barindex
    Yara detected Credential Flusher
    Source: Yara matchFile source: Process Memory Space: P0HV8mjHS1.exe PID: 7604, type: MEMORYSTR
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C31204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00C31204
    Source: C:\Users\user\Desktop\P0HV8mjHS1.exeCode function: 0_2_00C31806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00C31806

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire Infrastructure2
    Valid Accounts    		1
    Windows Management Instrumentation    		1
    DLL Side-Loading    		1
    Exploitation for Privilege Escalation    		2
    Disable or Modify Tools    		21
    Input Capture    		2
    System Time Discovery    		Remote Services1
    Archive Collected Data    		2
    Ingress Tool Transfer    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault Accounts1
    Native API    		2
    Valid Accounts    		1
    DLL Side-Loading    		1
    Deobfuscate/Decode Files or Information    		LSASS Memory1
    Account Discovery    		Remote Desktop Protocol21
    Input Capture    		12
    Encrypted Channel    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
    Extra Window Memory Injection    		2
    Obfuscated Files or Information    		Security Account Manager2
    File and Directory Discovery    		SMB/Windows Admin Shares3
    Clipboard Data    		2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
    Valid Accounts    		1
    DLL Side-Loading    		NTDS16
    System Information Discovery    		Distributed Component Object ModelInput Capture3
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
    Access Token Manipulation    		1
    Extra Window Memory Injection    		LSA Secrets131
    Security Software Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
    Process Injection    		1
    Masquerading    		Cached Domain Credentials1
    Virtualization/Sandbox Evasion    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
    Valid Accounts    		DCSync3
    Process Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
    Virtualization/Sandbox Evasion    		Proc Filesystem1
    Application Window Discovery    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
    Access Token Manipulation    		/etc/passwd and /etc/shadow1
    System Owner/User Discovery    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron2
    Process Injection    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1575788 Sample: P0HV8mjHS1.exe Startdate: 16/12/2024 Architecture: WINDOWS Score: 80 45 youtube.com 2->45 47 youtube-ui.l.google.com 2->47 49 34 other IPs or domains 2->49 57 Antivirus / Scanner detection for submitted sample 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Yara detected Credential Flusher 2->61 63 3 other signatures 2->63 8 P0HV8mjHS1.exe 2->8         started        11 firefox.exe 1 2->11         started        signatures3 process4 signatures5 65 Binary is likely a compiled AutoIt script file 8->65 67 Found API chain indicative of sandbox detection 8->67 13 taskkill.exe 1 8->13         started        15 taskkill.exe 1 8->15         started        17 taskkill.exe 1 8->17         started        23 3 other processes 8->23 19 firefox.exe 3 201 11->19         started        process6 dnsIp7 25 conhost.exe 13->25         started        27 conhost.exe 15->27         started        29 conhost.exe 17->29         started        51 youtube.com 142.250.181.78, 443, 49735, 49736 GOOGLEUS United States 19->51 53 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49734, 49748, 49749 GOOGLEUS United States 19->53 55 10 other IPs or domains 19->55 41 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 19->41 dropped 43 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 19->43 dropped 31 firefox.exe 1 19->31         started        33 firefox.exe 1 19->33         started        35 firefox.exe 1 19->35         started        37 conhost.exe 23->37         started        39 conhost.exe 23->39         started        file8 process9

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    P0HV8mjHS1.exe47%ReversingLabsWin32.Trojan.Amadey
    P0HV8mjHS1.exe100%AviraTR/ATRAPS.Gen
    P0HV8mjHS1.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)0%ReversingLabs
    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://login.li0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    example.org
    		93.184.215.14
    		truefalse
      		high
      star-mini.c10r.facebook.com
      		157.240.195.35
      		truefalse
        		high
        prod.classify-client.prod.webservices.mozgcp.net
        		35.190.72.216
        		truefalse
          		high
          prod.balrog.prod.cloudops.mozgcp.net
          		35.244.181.201
          		truefalse
            		high
            twitter.com
            		104.244.42.193
            		truefalse
              		high
              prod.detectportal.prod.cloudops.mozgcp.net
              		34.107.221.82
              		truefalse
                		high
                services.addons.mozilla.org
                		151.101.1.91
                		truefalse
                  		high
                  s-part-0035.t-0009.t-msedge.net
                  		13.107.246.63
                  		truefalse
                    		high
                    dyna.wikimedia.org
                    		185.15.58.224
                    		truefalse
                      		high
                      prod.remote-settings.prod.webservices.mozgcp.net
                      		34.149.100.209
                      		truefalse
                        		high
                        contile.services.mozilla.com
                        		34.117.188.166
                        		truefalse
                          		high
                          youtube.com
                          		142.250.181.78
                          		truefalse
                            		high
                            prod.content-signature-chains.prod.webservices.mozgcp.net
                            		34.160.144.191
                            		truefalse
                              		high
                              youtube-ui.l.google.com
                              		172.217.17.46
                              		truefalse
                                		high
                                us-west1.prod.sumo.prod.webservices.mozgcp.net
                                		34.149.128.2
                                		truefalse
                                  		high
                                  reddit.map.fastly.net
                                  		151.101.65.140
                                  		truefalse
                                    		high
                                    ipv4only.arpa
                                    		192.0.0.170
                                    		truefalse
                                      		high
                                      prod.ads.prod.webservices.mozgcp.net
                                      		34.117.188.166
                                      		truefalse
                                        		high
                                        push.services.mozilla.com
                                        		34.107.243.93
                                        		truefalse
                                          		high
                                          normandy-cdn.services.mozilla.com
                                          		35.201.103.21
                                          		truefalse
                                            		high
                                            telemetry-incoming.r53-2.services.mozilla.com
                                            		34.120.208.123
                                            		truefalse
                                              		high
                                              www.reddit.com
                                              		unknown
                                              		unknownfalse
                                                		high
                                                spocs.getpocket.com
                                                		unknown
                                                		unknownfalse
                                                  		high
                                                  content-signature-2.cdn.mozilla.net
                                                  		unknown
                                                  		unknownfalse
                                                    		high
                                                    support.mozilla.org
                                                    		unknown
                                                    		unknownfalse
                                                      		high
                                                      firefox.settings.services.mozilla.com
                                                      		unknown
                                                      		unknownfalse
                                                        		high
                                                        www.youtube.com
                                                        		unknown
                                                        		unknownfalse
                                                          		high
                                                          www.facebook.com
                                                          		unknown
                                                          		unknownfalse
                                                            		high
                                                            detectportal.firefox.com
                                                            		unknown
                                                            		unknownfalse
                                                              		high
                                                              normandy.cdn.mozilla.net
                                                              		unknown
                                                              		unknownfalse
                                                                		high
                                                                shavar.services.mozilla.com
                                                                		unknown
                                                                		unknownfalse
                                                                  		high
                                                                  www.wikipedia.org
                                                                  		unknown
                                                                  		unknownfalse
                                                                    		high

                                                                    URLs from Memory and Binaries

                                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                                    https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_lfirefox.exe, 00000014.00000002.2572567940.000002329DBC4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://detectportal.firefox.com/firefox.exe, 0000000E.00000003.1555482241.00000156AA608000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.mozilla.com0gmpopenh264.dll.tmp.14.drfalse
                                                                              		high
                                                                              https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecyclfirefox.exe, 0000000E.00000003.1507977664.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1408887212.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1407600479.00000156AF668000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://spocs.getpocket.com/user/firefox.exe, 00000014.00000002.2572567940.000002329DBF4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://merino.services.mozilla.com/api/v1/suggestfirefox.exe, 00000012.00000002.2572373433.0000026FA9186000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2572567940.000002329DB8F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protectfirefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.leboncoin.fr/firefox.exe, 0000000E.00000003.1561280442.00000156AFB0F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://spocs.getpocket.com/spocsfirefox.exe, 0000000E.00000003.1414308427.00000156AFAD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://contile-images.services.mozilla.com/5b4DH7KHAf2n_mNaLjNi1-UAoKmM9rhqaA9w7FyznHo.10943.jpgfirefox.exe, 00000010.00000002.2572513433.0000022D9C9E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2572373433.0000026FA91E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2576187425.000002329DD03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.drfalse
                                                                                            		high
                                                                                            https://shavar.services.mozilla.comfirefox.exe, 0000000E.00000003.1572821179.00000156A883D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://completion.amazon.com/search/complete?q=firefox.exe, 0000000E.00000003.1376372239.00000156A6F20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376999532.00000156A6F7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376545699.00000156A6F3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376196675.00000156A6D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376707963.00000156A6F5D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-reportfirefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://ads.stickyadstv.com/firefox-etpfirefox.exe, 0000000E.00000003.1564739004.00000156A8F51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1575697642.00000156A8427000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://identity.mozilla.com/ids/ecosystem_telemetryUfirefox.exe, 0000000E.00000003.1582477245.00000156A787E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700firefox.exe, 00000010.00000002.2572513433.0000022D9C9E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2572373433.0000026FA91E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2576187425.000002329DD03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.drfalse
                                                                                                        		high
                                                                                                        https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tabfirefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://monitor.firefox.com/breach-details/firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEMfirefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://xhr.spec.whatwg.org/#sync-warningfirefox.exe, 0000000E.00000003.1552024445.00000156AF849000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577226926.00000156AF849000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://www.amazon.com/exec/obidos/external-search/firefox.exe, 0000000E.00000003.1432799925.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1436953388.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1437892898.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376372239.00000156A6F20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376999532.00000156A6F7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1434054106.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376545699.00000156A6F3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1436448919.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376196675.00000156A6D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1571003623.00000156A8C3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1429749153.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376707963.00000156A6F5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1487850716.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1506100982.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1566331167.00000156A8C3F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://www.msn.comfirefox.exe, 0000000E.00000003.1552632724.00000156AA575000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://github.com/mozilla-services/screenshotsfirefox.exe, 0000000E.00000003.1376372239.00000156A6F20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376999532.00000156A6F7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376545699.00000156A6F3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376196675.00000156A6D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376707963.00000156A6F5D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://services.addons.mozilla.org/api/v4/addons/addon/firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700002.1&ctafirefox.exe, 00000010.00000002.2572513433.0000022D9C9E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2572373433.0000026FA91E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2576187425.000002329DD03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.drfalse
                                                                                                                          		high
                                                                                                                          https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-deffirefox.exe, 0000000E.00000003.1418194111.00000156A762C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://tracking-protection-issues.herokuapp.com/newfirefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-reportfirefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://youtube.com/firefox.exe, 0000000E.00000003.1551428259.00000156AF45D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=htfirefox.exe, 0000000E.00000003.1532965897.00000156B318B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://www.instagram.com/firefox.exe, 0000000E.00000003.1433542927.00000156A8EDA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1438696139.00000156A8EDA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-reportfirefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://api.accounts.firefox.com/v1firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://login.lifirefox.exe, 0000000E.00000003.1516978191.00000156A8BB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown
                                                                                                                                          https://ok.ru/firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://www.amazon.com/firefox.exe, 0000000E.00000003.1535894217.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1540763963.00000156AFB32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullScfirefox.exe, 0000000E.00000003.1552024445.00000156AF83C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protectionsfirefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://www.youtube.com/firefox.exe, 0000000E.00000003.1535894217.00000156AF8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1540763963.00000156AFB32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2572373433.0000026FA910A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2572567940.000002329DB0C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://bugzilla.mozilla.org/show_bug.cgi?id=1283601firefox.exe, 0000000E.00000003.1443420231.00000156B1133000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shieldfirefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://MD8.mozilla.org/1/mfirefox.exe, 0000000E.00000003.1580820227.00000156A797D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://www.bbc.co.uk/firefox.exe, 0000000E.00000003.1561280442.00000156AFB0F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://addons.mozilla.org/firefox/addon/to-google-translate/firefox.exe, 0000000E.00000003.1559343506.00000156B318B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1532965897.00000156B318B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=firefox.exe, 00000014.00000002.2572567940.000002329DBC4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://127.0.0.1:firefox.exe, 0000000E.00000003.1564198032.00000156A94BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152firefox.exe, 0000000E.00000003.1430935493.00000156A8B8C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://bugzilla.mofirefox.exe, 0000000E.00000003.1567052083.00000156B3148000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://mitmdetection.services.mozilla.com/firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://static.adsafeprotected.com/firefox-etp-jsfirefox.exe, 0000000E.00000003.1564739004.00000156A8F51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://youtube.com/account?=recovery.jsonlz4.tmp.14.drfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapturefirefox.exe, 0000000E.00000003.1552024445.00000156AF83C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577226926.00000156AF845000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://spocs.getpocket.com/firefox.exe, 0000000E.00000003.1580652692.00000156A79AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1569078140.00000156AF52A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2572373433.0000026FA9112000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2572567940.000002329DB13000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://services.addons.mozilla.org/api/v4/abuse/report/addon/firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-ffirefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://www.iqiyi.com/firefox.exe, 0000000E.00000003.1561280442.00000156AFB0F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_rfirefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://monitor.firefox.com/user/breach-stats?includeResolved=truefirefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-reportfirefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://merino.services.mozilla.com/api/v1/suggestaboutfirefox.exe, 00000010.00000002.2572513433.0000022D9C972000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://a9.com/-/spec/opensearch/1.0/firefox.exe, 0000000E.00000003.1563181985.00000156A97EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1578086606.00000156A97EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557015355.00000156A97EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://safebrowsing.google.com/safebrowsing/diagnostic?site=firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://monitor.firefox.com/user/dashboardfirefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_IDfirefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://support.mozilla.org/products/firefoxgro.allizom.troppus.njy8xaI_aUJpfirefox.exe, 0000000E.00000003.1572136257.00000156A88DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://monitor.firefox.com/aboutfirefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              http://mozilla.org/MPL/2.0/.firefox.exe, 0000000E.00000003.1515988542.00000156A8ED4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1483913139.00000156A8B87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1384896644.00000156A72D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1384896644.00000156A72DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1583029186.00000156A7A1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1437230456.00000156A8EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1435855888.00000156A8EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1555632399.00000156AA532000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1562470132.00000156AA890000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1507977664.00000156AF653000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1530718851.00000156A8D8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1588538192.00000156A6F08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1543124826.00000156A7A39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1555139127.00000156AF756000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1539614641.00000156A8B9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1430935493.00000156A8B81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1588538192.00000156A6F3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1430935493.00000156A8B9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1433542927.00000156A8EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1415702076.00000156AF7AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1513085692.00000156A8ED0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://account.bellmedia.cfirefox.exe, 0000000E.00000003.1579676864.00000156A805E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  https://login.microsoftonline.comfirefox.exe, 0000000E.00000003.1538535143.00000156AA559000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1552632724.00000156AA559000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    https://coverage.mozilla.orgfirefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      http://crl.thawte.com/ThawteTimestampingCA.crl0gmpopenh264.dll.tmp.14.drfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        https://www.zhihu.com/firefox.exe, 0000000E.00000003.1551037983.00000156AF5A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564198032.00000156A949E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568795949.00000156AF5A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1538297561.00000156AF5A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          http://x1.c.lencr.org/0firefox.exe, 0000000E.00000003.1532965897.00000156B31CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1559211972.00000156B31D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                            http://x1.i.lencr.org/0firefox.exe, 0000000E.00000003.1532965897.00000156B31CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1559211972.00000156B31D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                              https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqrfQHr4pbW4ZbWfpbY7ReNxR3UIG8zInwYIFIVs9eYiprefs-1.js.14.drfalse
                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                http://a9.com/-/spec/opensearch/1.1/firefox.exe, 0000000E.00000003.1563181985.00000156A97EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1578086606.00000156A97EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557015355.00000156A97EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                  https://infra.spec.whatwg.org/#ascii-whitespacefirefox.exe, 0000000E.00000003.1507977664.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1408887212.00000156AF667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1407600479.00000156AF668000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                                    https://blocked.cdn.mozilla.net/firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                                      https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnoredfirefox.exe, 0000000E.00000003.1577226926.00000156AF82E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                                        https://json-schema.org/draft/2019-09/schemafirefox.exe, 0000000E.00000003.1534994192.00000156AFAD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1561324508.00000156AFAD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1414308427.00000156AFAD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                                          http://developer.mozilla.org/en/docs/DOM:element.addEventListenerfirefox.exe, 0000000E.00000003.1577226926.00000156AF845000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                                            https://profiler.firefox.comfirefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                                              https://outlook.live.com/default.aspx?rru=compose&to=%sfirefox.exe, 0000000E.00000003.1588957579.00000156A6B39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1378157875.00000156A6B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1378786026.00000156A6B23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1490946586.00000156A6B2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1379235594.00000156A6B33000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                                https://identity.mozilla.com/apps/relayfirefox.exe, 0000000E.00000003.1567631992.00000156B2244000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1527929114.00000156B223A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1533511216.00000156B223A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                                  https://mozilla.cloudflare-dns.com/dns-queryfirefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                                                    https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2firefox.exe, 0000000E.00000003.1569982961.00000156AF48F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551428259.00000156AF45D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                                                      https://bugzilla.mozilla.org/show_bug.cgi?id=1678448firefox.exe, 0000000E.00000003.1442899984.00000156B112F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1443805259.00000156B113A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1443420231.00000156B1133000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                                                        https://mail.yahoo.co.jp/compose/?To=%sfirefox.exe, 0000000E.00000003.1588957579.00000156A6B39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1378157875.00000156A6B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1378786026.00000156A6B23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1490946586.00000156A6B2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1379235594.00000156A6B33000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                                                          https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/firefox.exe, 0000000E.00000003.1559343506.00000156B318B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1532965897.00000156B318B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                                                            https://contile.services.mozilla.com/v1/tilesfirefox.exe, 0000000E.00000003.1568576227.00000156AF8A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                                                              https://www.amazon.co.uk/firefox.exe, 0000000E.00000003.1561280442.00000156AFB0F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                                                https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/firefox.exe, 0000000E.00000003.1559211972.00000156B31D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                                                  https://monitor.firefox.com/user/preferencesfirefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                                                                    https://screenshots.firefox.com/firefox.exe, 0000000E.00000003.1376707963.00000156A6F5D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                                                                      https://www.google.com/searchfirefox.exe, 0000000E.00000003.1534878442.00000156AFB28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1429749153.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1376707963.00000156A6F5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1487850716.00000156A8E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1506100982.00000156A8E93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                                                                        https://relay.firefox.com/api/v1/firefox.exe, 00000010.00000002.2575633850.0000022D9CA20000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2571249521.0000026FA8F50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2572014922.000002329D980000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                          		high

                                                                                                                                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                                                                                                                                          Public IPs

                                                                                                                                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                                                          151.101.1.91
                                                                                                                                                                                                                                                                          		services.addons.mozilla.orgUnited States
                                                                                                                                                                                                                                                                          		54113FASTLYUSfalse
                                                                                                                                                                                                                                                                          34.149.100.209
                                                                                                                                                                                                                                                                          		prod.remote-settings.prod.webservices.mozgcp.netUnited States
                                                                                                                                                                                                                                                                          		2686ATGS-MMD-ASUSfalse
                                                                                                                                                                                                                                                                          34.107.243.93
                                                                                                                                                                                                                                                                          		push.services.mozilla.comUnited States
                                                                                                                                                                                                                                                                          		15169GOOGLEUSfalse
                                                                                                                                                                                                                                                                          34.107.221.82
                                                                                                                                                                                                                                                                          		prod.detectportal.prod.cloudops.mozgcp.netUnited States
                                                                                                                                                                                                                                                                          		15169GOOGLEUSfalse
                                                                                                                                                                                                                                                                          35.244.181.201
                                                                                                                                                                                                                                                                          		prod.balrog.prod.cloudops.mozgcp.netUnited States
                                                                                                                                                                                                                                                                          		15169GOOGLEUSfalse
                                                                                                                                                                                                                                                                          34.117.188.166
                                                                                                                                                                                                                                                                          		contile.services.mozilla.comUnited States
                                                                                                                                                                                                                                                                          		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                                                                                                                                                                                                                                                                          35.201.103.21
                                                                                                                                                                                                                                                                          		normandy-cdn.services.mozilla.comUnited States
                                                                                                                                                                                                                                                                          		15169GOOGLEUSfalse
                                                                                                                                                                                                                                                                          142.250.181.78
                                                                                                                                                                                                                                                                          		youtube.comUnited States
                                                                                                                                                                                                                                                                          		15169GOOGLEUSfalse
                                                                                                                                                                                                                                                                          35.190.72.216
                                                                                                                                                                                                                                                                          		prod.classify-client.prod.webservices.mozgcp.netUnited States
                                                                                                                                                                                                                                                                          		15169GOOGLEUSfalse
                                                                                                                                                                                                                                                                          34.160.144.191
                                                                                                                                                                                                                                                                          		prod.content-signature-chains.prod.webservices.mozgcp.netUnited States
                                                                                                                                                                                                                                                                          		2686ATGS-MMD-ASUSfalse
                                                                                                                                                                                                                                                                          34.120.208.123
                                                                                                                                                                                                                                                                          		telemetry-incoming.r53-2.services.mozilla.comUnited States
                                                                                                                                                                                                                                                                          		15169GOOGLEUSfalse

                                                                                                                                                                                                                                                                          Private

                                                                                                                                                                                                                                                                          IP
                                                                                                                                                                                                                                                                          127.0.0.1

                                                                                                                                                                                                                                                                          General Information

                                                                                                                                                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                                                          Analysis ID:1575788
                                                                                                                                                                                                                                                                          Start date and time:2024-12-16 10:23:48 +01:00
                                                                                                                                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                                                          Overall analysis duration:0h 7m 20s
                                                                                                                                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                                                          Report type:full
                                                                                                                                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                                                          Number of analysed new started processes analysed:24
                                                                                                                                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                                                                                                                                          Technologies:
                                                                                                                                                                                                                                                                          • HCA enabled
                                                                                                                                                                                                                                                                          • EGA enabled
                                                                                                                                                                                                                                                                          • AMSI enabled
                                                                                                                                                                                                                                                                          Analysis Mode:default
                                                                                                                                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                                                                                                                                          Sample name:P0HV8mjHS1.exe
                                                                                                                                                                                                                                                                          renamed because original name is a hash value
                                                                                                                                                                                                                                                                          Original Sample Name:1d201eba6524ce8727dadf2031fc2b4a.exe
                                                                                                                                                                                                                                                                          Detection:MAL
                                                                                                                                                                                                                                                                          Classification:mal80.troj.evad.winEXE@34/34@67/12
                                                                                                                                                                                                                                                                          EGA Information:
                                                                                                                                                                                                                                                                          • Successful, ratio: 50%
                                                                                                                                                                                                                                                                          HCA Information:
                                                                                                                                                                                                                                                                          • Successful, ratio: 96%
                                                                                                                                                                                                                                                                          • Number of executed functions: 50
                                                                                                                                                                                                                                                                          • Number of non-executed functions: 289
                                                                                                                                                                                                                                                                          Cookbook Comments:
                                                                                                                                                                                                                                                                          • Found application associated with file extension: .exe

                                                                                                                                                                                                                                                                          Warnings

                                                                                                                                                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 54.213.181.160, 44.228.225.150, 35.85.93.176, 172.217.17.46, 88.221.134.155, 88.221.134.209, 142.250.181.138, 13.107.246.63, 23.218.208.109, 4.175.87.197
                                                                                                                                                                                                                                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, redirector.gvt1.com, azureedge-t-prod.trafficmanager.net, safebrowsing.googleapis.com, location.services.mozilla.com
                                                                                                                                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                                                                          • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                                                                                                                          • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                                                          • VT rate limit hit for: P0HV8mjHS1.exe

                                                                                                                                                                                                                                                                          Simulations

                                                                                                                                                                                                                                                                          Behavior and APIs

                                                                                                                                                                                                                                                                          TimeTypeDescription
                                                                                                                                                                                                                                                                          04:24:55API Interceptor1x Sleep call for process: firefox.exe modified

                                                                                                                                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                                                                                                                                          IPs

                                                                                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                          34.117.188.166mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                            mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                  nmy4mJXEaz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                    6eftz6UKDm.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                      nmy4mJXEaz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                        6eftz6UKDm.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                                                                                              151.101.1.91mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                nmy4mJXEaz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                  file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                    file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                          file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                              file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                  34.149.100.209mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                    mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                      nmy4mJXEaz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                        6eftz6UKDm.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                          nmy4mJXEaz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                            6eftz6UKDm.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                                                                                                                                                                                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                  file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                    file.exeGet hashmaliciousCredential FlusherBrowse

                                                                                                                                                                                                                                                                                                                                      Domains

                                                                                                                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                                                                                      example.orgmdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                      mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                      • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                      nmy4mJXEaz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                      6eftz6UKDm.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                      nmy4mJXEaz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                      6eftz6UKDm.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                      star-mini.c10r.facebook.commdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 157.240.196.35
                                                                                                                                                                                                                                                                                                                                      mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 157.240.196.35
                                                                                                                                                                                                                                                                                                                                      https://zde.soundestlink.com/ce/c/675fab7ba82aca38b8d991e6/675fabf585cd17d1e3e2bb78/675fac13057112d43b540576?signature=da009f44f7cd45aeae4fbb5addf15ac91fbf725bb5e9405183f25bf1db8c8baaGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                      • 157.240.196.35
                                                                                                                                                                                                                                                                                                                                      https://fsharetv.co/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                      • 157.240.195.35
                                                                                                                                                                                                                                                                                                                                      nmy4mJXEaz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 157.240.196.35
                                                                                                                                                                                                                                                                                                                                      6eftz6UKDm.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 157.240.195.35
                                                                                                                                                                                                                                                                                                                                      nmy4mJXEaz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 157.240.196.35
                                                                                                                                                                                                                                                                                                                                      6eftz6UKDm.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 157.240.196.35
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                                                                                                                                      • 157.240.196.35
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 157.240.196.35
                                                                                                                                                                                                                                                                                                                                      twitter.commdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 104.244.42.65
                                                                                                                                                                                                                                                                                                                                      mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 104.244.42.65
                                                                                                                                                                                                                                                                                                                                      nmy4mJXEaz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 104.244.42.65
                                                                                                                                                                                                                                                                                                                                      6eftz6UKDm.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 104.244.42.65
                                                                                                                                                                                                                                                                                                                                      nmy4mJXEaz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 104.244.42.193
                                                                                                                                                                                                                                                                                                                                      6eftz6UKDm.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 104.244.42.193
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                                                                                                                                      • 104.244.42.1
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 104.244.42.129
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                      • 104.244.42.65
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, StealcBrowse
                                                                                                                                                                                                                                                                                                                                      • 104.244.42.193

                                                                                                                                                                                                                                                                                                                                      ASNs

                                                                                                                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                                                                                      FASTLYUSmdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 151.101.65.91
                                                                                                                                                                                                                                                                                                                                      mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 151.101.1.91
                                                                                                                                                                                                                                                                                                                                      https://cavotec-au.sharefile.com/public/share/web-1271a93971714a91Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                                                                                                      • 151.101.66.137
                                                                                                                                                                                                                                                                                                                                      https://omnirayoprah.cfd/orzbqGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                      • 151.101.2.137
                                                                                                                                                                                                                                                                                                                                      https://zde.soundestlink.com/ce/c/675fab7ba82aca38b8d991e6/675fabf585cd17d1e3e2bb78/675fac13057112d43b540576?signature=da009f44f7cd45aeae4fbb5addf15ac91fbf725bb5e9405183f25bf1db8c8baaGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                      • 151.101.2.137
                                                                                                                                                                                                                                                                                                                                      https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-7DW79067WM944534C%2FU-3RN06382B68072443%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=mv2NVEuUR9VvkcyUJ89EG.tzUFO5CbJFQUTSWg&expId=p2p&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-7DW79067WM944534C%2FU-3RN06382B68072443%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3Dmv2NVEuUR9VvkcyUJ89EG.tzUFO5CbJFQUTSWg%22%7D%7D&flowContextData=3VhkG6GfeMFpPs0RyY94VfaPuu2gnDuZkT0vO2-Owy5Q0TLELhHoBl0C3rYOuScB-P1puLFiHoe8q1yHNkorMrsQ-kVAt54br43PgY3iTrhwRm0aS_TYpgjIbliH5dfDJJr3q03bJkAa9vLd7Cr3oAjCQ5rfmoQCALWFn-qszHw7Rd_aj20-SECud0ZSxh-oKENUYjnmdRqAckr48r-ddvc-Vgo4zQnu7JkI5YB_1CxdutYkC-X7iD96T-7aDJhAmyxkfGKQ53prsK5Kys2hLiVrkCjSURM1RSmWzlwznlByQzHhv1R0VrGdaW03mCZt_U0pKOeWAwiNac8f&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=16a0a3c3-b960-11ef-862e-f3094488c6dd&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&unptid=16a0a3c3-b960-11ef-862e-f3094488c6dd&calc=f53338153f55e&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.295.0&tenant_name=&xt=145585%2C150948%2C104038&link_ref=www.paypal.com_signinGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                      • 151.101.193.21
                                                                                                                                                                                                                                                                                                                                      http://18.224.21.137/FFmnpShhHMMWeIqsVa2rJ69xinQlZ-7450Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                      • 151.101.194.137
                                                                                                                                                                                                                                                                                                                                      https://fsharetv.co/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                      • 151.101.65.16
                                                                                                                                                                                                                                                                                                                                      IGz.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                                                                                                      • 167.83.97.28
                                                                                                                                                                                                                                                                                                                                      nmy4mJXEaz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 151.101.1.91
                                                                                                                                                                                                                                                                                                                                      GOOGLE-AS-APGoogleAsiaPacificPteLtdSGmdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 34.117.188.166
                                                                                                                                                                                                                                                                                                                                      mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 34.117.188.166
                                                                                                                                                                                                                                                                                                                                      arm6.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                      • 34.117.135.65
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 34.117.188.166
                                                                                                                                                                                                                                                                                                                                      armv5l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                      • 34.119.157.208
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 34.117.188.166
                                                                                                                                                                                                                                                                                                                                      nmy4mJXEaz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 34.117.188.166
                                                                                                                                                                                                                                                                                                                                      6eftz6UKDm.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 34.117.188.166
                                                                                                                                                                                                                                                                                                                                      nmy4mJXEaz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 34.117.188.166
                                                                                                                                                                                                                                                                                                                                      6eftz6UKDm.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 34.117.188.166
                                                                                                                                                                                                                                                                                                                                      ATGS-MMD-ASUSmdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                      mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                      1.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                      • 192.56.124.79
                                                                                                                                                                                                                                                                                                                                      arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                      • 56.55.47.44
                                                                                                                                                                                                                                                                                                                                      arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                      • 32.250.10.46
                                                                                                                                                                                                                                                                                                                                      sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                      • 51.237.32.223
                                                                                                                                                                                                                                                                                                                                      ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                      • 48.169.33.91
                                                                                                                                                                                                                                                                                                                                      mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                      • 33.210.242.0
                                                                                                                                                                                                                                                                                                                                      arm6.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                      • 51.230.252.202
                                                                                                                                                                                                                                                                                                                                      m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                      • 48.201.186.239

                                                                                                                                                                                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                                                                                      fb0aa01abe9d8e4037eb3473ca6e2dcamdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                      • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                      • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                      • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                      • 151.101.1.91
                                                                                                                                                                                                                                                                                                                                      mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                      • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                      • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                      • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                      • 151.101.1.91
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                      • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                      • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                      • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                      • 151.101.1.91
                                                                                                                                                                                                                                                                                                                                      nmy4mJXEaz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                      • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                      • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                      • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                      • 151.101.1.91
                                                                                                                                                                                                                                                                                                                                      6eftz6UKDm.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                      • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                      • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                      • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                      • 151.101.1.91
                                                                                                                                                                                                                                                                                                                                      nmy4mJXEaz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                      • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                      • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                      • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                      • 151.101.1.91
                                                                                                                                                                                                                                                                                                                                      6eftz6UKDm.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                      • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                      • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                      • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                      • 151.101.1.91
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                      • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                      • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                      • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                      • 151.101.1.91
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                                                                                                                                      • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                      • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                      • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                      • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                      • 151.101.1.91
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                      • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                      • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                      • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                      • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                      • 151.101.1.91

                                                                                                                                                                                                                                                                                                                                      Dropped Files

                                                                                                                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                        mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                          nmy4mJXEaz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                            6eftz6UKDm.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                              nmy4mJXEaz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                6eftz6UKDm.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                  file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                    file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmpmdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                              nmy4mJXEaz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                                6eftz6UKDm.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                                  nmy4mJXEaz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                                    6eftz6UKDm.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                                          file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                                            file.exeGet hashmaliciousCredential FlusherBrowse

                                                                                                                                                                                                                                                                                                                                                                              Created / dropped Files

                                                                                                                                                                                                                                                                                                                                                                              C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_bc63c8a5-a478-4de3-acea-9f1fc9fbf201.json (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):7946
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):5.17823698829116
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:192:zMMXVhicbhbVbTbfbRbObtbyEl7nxr7JA6unSrDtTkdyS1:ztacNhnzFSJRry1nSrDhkdyY
                                                                                                                                                                                                                                                                                                                                                                              MD5:4DE7807F4F9CC14149C3938E02A1BA4A
                                                                                                                                                                                                                                                                                                                                                                              SHA1:313A43B649F3B298E887711D34AAF6F285F10109
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:DC66F7ED69D5BFFB68F0459CD52CDC8C1DFE91A5B08AEA12CBB94CED9AAF9036
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:D68CCF628E03FB58532262BB50CF2C7B4C82A7E182A5B5B335A2EC759BEBD5A838292A404E5AF4DB4AE38484E8A61B1B4C8EB41002F216E72FEBE8590ECC6DF8
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"type":"uninstall","id":"bc63c8a5-a478-4de3-acea-9f1fc9fbf201","creationDate":"2024-12-16T10:36:00.642Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"c52d5856-ece5-494f-aabd-86188f9ce2c7","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

                                                                                                                                                                                                                                                                                                                                                                              C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_bc63c8a5-a478-4de3-acea-9f1fc9fbf201.json.tmp

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):7946
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):5.17823698829116
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:192:zMMXVhicbhbVbTbfbRbObtbyEl7nxr7JA6unSrDtTkdyS1:ztacNhnzFSJRry1nSrDhkdyY
                                                                                                                                                                                                                                                                                                                                                                              MD5:4DE7807F4F9CC14149C3938E02A1BA4A
                                                                                                                                                                                                                                                                                                                                                                              SHA1:313A43B649F3B298E887711D34AAF6F285F10109
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:DC66F7ED69D5BFFB68F0459CD52CDC8C1DFE91A5B08AEA12CBB94CED9AAF9036
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:D68CCF628E03FB58532262BB50CF2C7B4C82A7E182A5B5B335A2EC759BEBD5A838292A404E5AF4DB4AE38484E8A61B1B4C8EB41002F216E72FEBE8590ECC6DF8
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"type":"uninstall","id":"bc63c8a5-a478-4de3-acea-9f1fc9fbf201","creationDate":"2024-12-16T10:36:00.642Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"c52d5856-ece5-494f-aabd-86188f9ce2c7","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):32768
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):0.4593089050301797
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
                                                                                                                                                                                                                                                                                                                                                                              MD5:D910AD167F0217587501FDCDB33CC544
                                                                                                                                                                                                                                                                                                                                                                              SHA1:2F57441CEFDC781011B53C1C5D29AC54835AFC1D
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpaddon

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):453023
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):7.997718157581587
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
                                                                                                                                                                                                                                                                                                                                                                              MD5:85430BAED3398695717B0263807CF97C
                                                                                                                                                                                                                                                                                                                                                                              SHA1:FFFBEE923CEA216F50FCE5D54219A188A5100F41
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:PK.........bN...R..........gmpopenh264.dll..|.E.0.=..I.....1....4f1q.`.........q.....'+....h*m{.z..o_.{w........$..($A!...|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`...*.........ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\......*.....-i.K.I..4.a..6..*...Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N.*.}..).3.N%.!..q*........^I.m..~...6.#.~+.....A...I]r...x..*.<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..|c.1.cUkM.&.Qn]..a]t.h..*.!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\ExperimentStoreData.json (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):4419
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.9362887017146395
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:96:gjziNFS+O2PUFzOdwNIOd8jvYRGrLdt8P:gjziNFS+OyUxOdwiOd8jTLdt8P
                                                                                                                                                                                                                                                                                                                                                                              MD5:EBB45185E84254869AABC33B9C41F808
                                                                                                                                                                                                                                                                                                                                                                              SHA1:C86CCB76595A1078E57E359CCE770FE0484BE39C
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:63E3E7965DE2D4FA8E0FCA5AC0B2ECE5D736E800168E23E0F785B66C97F7C986
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:28E372AFBE87ACDECAFCEBC993C7527A45342A7B6920D22BE3E18CCF6AC5AD4EBFA8694C72FCCB1014B569C0BAE0A752BA815822E8CD6E5E8B25BE3699738565
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"22cb469c-1a0f-4c4f-8465-adc25b4d990d","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T09:51:32.910Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\ExperimentStoreData.json.tmp

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):4419
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.9362887017146395
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:96:gjziNFS+O2PUFzOdwNIOd8jvYRGrLdt8P:gjziNFS+OyUxOdwiOd8jTLdt8P
                                                                                                                                                                                                                                                                                                                                                                              MD5:EBB45185E84254869AABC33B9C41F808
                                                                                                                                                                                                                                                                                                                                                                              SHA1:C86CCB76595A1078E57E359CCE770FE0484BE39C
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:63E3E7965DE2D4FA8E0FCA5AC0B2ECE5D736E800168E23E0F785B66C97F7C986
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:28E372AFBE87ACDECAFCEBC993C7527A45342A7B6920D22BE3E18CCF6AC5AD4EBFA8694C72FCCB1014B569C0BAE0A752BA815822E8CD6E5E8B25BE3699738565
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"22cb469c-1a0f-4c4f-8465-adc25b4d990d","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T09:51:32.910Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\addonStartup.json.lz4 (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:Mozilla lz4 compressed data, originally 23432 bytes
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):5321
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):6.616950216416023
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2Xb:VTx2x2t0FDJ4NpwZMd0EJwq
                                                                                                                                                                                                                                                                                                                                                                              MD5:E1518C2B2784D504C84C175662D1EF14
                                                                                                                                                                                                                                                                                                                                                                              SHA1:A3F4A3BD1C7F48BF4743BB3D1D3FED577D64D83B
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:C807EF41D3523DFDB6CFC7CE39802775C41D527EE6E392251ED722C8AA53E89C
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:37A02E4A3082DF419A0D7A8D48DC2997347B6F7D79142D0097D6B4B3FFE7AD646EF4C0B0E8D7171C871A163A25913F5F71E11467037290C980428ED9B1FC1B7D
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."*://login.microsoftonline.com/*","..@us/*L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay*....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\addonStartup.json.lz4.tmp

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:Mozilla lz4 compressed data, originally 23432 bytes
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):5321
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):6.616950216416023
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2Xb:VTx2x2t0FDJ4NpwZMd0EJwq
                                                                                                                                                                                                                                                                                                                                                                              MD5:E1518C2B2784D504C84C175662D1EF14
                                                                                                                                                                                                                                                                                                                                                                              SHA1:A3F4A3BD1C7F48BF4743BB3D1D3FED577D64D83B
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:C807EF41D3523DFDB6CFC7CE39802775C41D527EE6E392251ED722C8AA53E89C
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:37A02E4A3082DF419A0D7A8D48DC2997347B6F7D79142D0097D6B4B3FFE7AD646EF4C0B0E8D7171C871A163A25913F5F71E11467037290C980428ED9B1FC1B7D
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."*://login.microsoftonline.com/*","..@us/*L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay*....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\addons.json (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):24
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):3.91829583405449
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:3:YWGifTJE6iHQ:YWGif9EE
                                                                                                                                                                                                                                                                                                                                                                              MD5:3088F0272D29FAA42ED452C5E8120B08
                                                                                                                                                                                                                                                                                                                                                                              SHA1:C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"schema":6,"addons":[]}

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\addons.json.tmp

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):24
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):3.91829583405449
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:3:YWGifTJE6iHQ:YWGif9EE
                                                                                                                                                                                                                                                                                                                                                                              MD5:3088F0272D29FAA42ED452C5E8120B08
                                                                                                                                                                                                                                                                                                                                                                              SHA1:C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"schema":6,"addons":[]}

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\content-prefs.sqlite

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):262144
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):0.04905141882491872
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
                                                                                                                                                                                                                                                                                                                                                                              MD5:8736A542C5564A922C47B19D9CC5E0F2
                                                                                                                                                                                                                                                                                                                                                                              SHA1:CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j......|....~.}.}z}-|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\crashes\store.json.mozlz4 (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:Mozilla lz4 compressed data, originally 56 bytes
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):66
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.837595020998689
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
                                                                                                                                                                                                                                                                                                                                                                              MD5:A6338865EB252D0EF8FCF11FA9AF3F0D
                                                                                                                                                                                                                                                                                                                                                                              SHA1:CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\crashes\store.json.mozlz4.tmp

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:Mozilla lz4 compressed data, originally 56 bytes
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):66
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.837595020998689
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
                                                                                                                                                                                                                                                                                                                                                                              MD5:A6338865EB252D0EF8FCF11FA9AF3F0D
                                                                                                                                                                                                                                                                                                                                                                              SHA1:CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\extensions.json (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):36830
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):5.188139169100479
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:768:Y8I4ovfnXg4p6z4d4fv4A4RYhvMM4lV4PX4P45I464x:366vM0
                                                                                                                                                                                                                                                                                                                                                                              MD5:83BB625BB55A7C6258C8A955E9355247
                                                                                                                                                                                                                                                                                                                                                                              SHA1:F471A0899DA8F9D1891FE84EEE57F49A483BD354
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:43EDDA472C6BF4E1D8930DE16766D904D45CFAB872BE0EFD34A97C9A7FF6C2F1
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:5DFB70D3E2766CC995FA5376BDC80695240F110D50796264F94DC8F4BBD57C284062DDC5B175F77BE81F10E3222132A77E4A904E44A358F1CFBADD5DBFD14B9E
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{00c60170-fd9d-4229-8c0b-f2fb3c217cc3}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\extensions.json.tmp

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):36830
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):5.188139169100479
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:768:Y8I4ovfnXg4p6z4d4fv4A4RYhvMM4lV4PX4P45I464x:366vM0
                                                                                                                                                                                                                                                                                                                                                                              MD5:83BB625BB55A7C6258C8A955E9355247
                                                                                                                                                                                                                                                                                                                                                                              SHA1:F471A0899DA8F9D1891FE84EEE57F49A483BD354
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:43EDDA472C6BF4E1D8930DE16766D904D45CFAB872BE0EFD34A97C9A7FF6C2F1
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:5DFB70D3E2766CC995FA5376BDC80695240F110D50796264F94DC8F4BBD57C284062DDC5B175F77BE81F10E3222132A77E4A904E44A358F1CFBADD5DBFD14B9E
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{00c60170-fd9d-4229-8c0b-f2fb3c217cc3}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\favicons.sqlite-shm

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):32768
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):0.017262956703125623
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                                                                                                                                                                                                                                                                              MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                                                                                                                                                                                                                                                                              SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):1021904
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):6.648417932394748
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
                                                                                                                                                                                                                                                                                                                                                                              MD5:FE3355639648C417E8307C6D051E3E37
                                                                                                                                                                                                                                                                                                                                                                              SHA1:F54602D4B4778DA21BC97C7238FC66AA68C8EE34
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                                                                                                              Joe Sandbox View:
                                                                                                                                                                                                                                                                                                                                                                              • Filename: mdPov8VTwi.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: mdPov8VTwi.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: nmy4mJXEaz.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: 6eftz6UKDm.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: nmy4mJXEaz.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: 6eftz6UKDm.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):1021904
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):6.648417932394748
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
                                                                                                                                                                                                                                                                                                                                                                              MD5:FE3355639648C417E8307C6D051E3E37
                                                                                                                                                                                                                                                                                                                                                                              SHA1:F54602D4B4778DA21BC97C7238FC66AA68C8EE34
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                                                                                                              Joe Sandbox View:
                                                                                                                                                                                                                                                                                                                                                                              • Filename: mdPov8VTwi.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: mdPov8VTwi.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: nmy4mJXEaz.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: 6eftz6UKDm.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: nmy4mJXEaz.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: 6eftz6UKDm.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):116
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.968220104601006
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
                                                                                                                                                                                                                                                                                                                                                                              MD5:3D33CDC0B3D281E67DD52E14435DD04F
                                                                                                                                                                                                                                                                                                                                                                              SHA1:4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):116
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.968220104601006
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
                                                                                                                                                                                                                                                                                                                                                                              MD5:3D33CDC0B3D281E67DD52E14435DD04F
                                                                                                                                                                                                                                                                                                                                                                              SHA1:4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\permissions.sqlite

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):98304
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):0.07338695179673393
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkip:DLhesh7Owd4+jip
                                                                                                                                                                                                                                                                                                                                                                              MD5:305B162DEEE5476C2B6D8E4F090E7B73
                                                                                                                                                                                                                                                                                                                                                                              SHA1:9395A0B24CD5587CA7D0596D660462C0E2F5A122
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:CA6526C6A2D6A33E8396DC5646164A2657D8C3D306DDB7A0FE8B5344720A0754
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:53CE9CAA8C05264AB170F0A00126BBEB47FA76AB54C43370B6E96112F95BBF530D45066A971C9002F1FF8CF8A9A818598836FA5291AC1C34A7F56594ED9DB7B8
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite-shm

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):32768
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):0.035822017202226504
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:3:GtlstFMxmHyBKyBMIttlstFMxmHyBKyBml/J89//alEl:GtWtOxsyBMIttWtOxsyBmtJ89XuM
                                                                                                                                                                                                                                                                                                                                                                              MD5:63129922C6357834659C91A7B2EE75CB
                                                                                                                                                                                                                                                                                                                                                                              SHA1:B7EBF4BC35C707CB0AC624052FE069B1E6989F67
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:87D9A9EB8AA80DD64C66EC64F6487E04848B6CECBAE6FCA52DB86F6841E3DECA
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:464B2606561C7013C30DFBB805280434C6E08D74D0EF498E8C1DC9A8240DADB9954EF99791FC4922622CE99AA229300DE4E00C1CF0BB997FDF828CB7B54DC277
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:..-......................T~g.O(*%!..7....".?W$...-......................T~g.O(*%!..7....".?W$.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite-wal

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:SQLite Write-Ahead Log, version 3007000
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):32824
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):0.03930868612720546
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:3:Ol15VShDqrp5xlCfArPCbOq1v/X7l8rEXsxdwhml8XW3R2:KVShiXROvDl8dMhm93w
                                                                                                                                                                                                                                                                                                                                                                              MD5:B6C259E6CD8BDFCEDA9BF83C69043E5A
                                                                                                                                                                                                                                                                                                                                                                              SHA1:B546344CC7735979A1D52B3A1CCC3C0B809B8FA5
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:DF3D09A9E462478A011B8A6DF259960313DAC98AFE45AA44F140A13689D5B930
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:EDEB09F063C9925228639629393E90868831BCB0D286C1D1376C94A80795EC37625F6E09F82E577F637C5C9EF19CA24FC15D74064529CEEBCFD5D22B85832366
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:7....-..........%!..7...n$8............%!..7...g~T.*(O.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\prefs-1.js

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:ASCII text, with very long lines (1808), with CRLF line terminators
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):14172
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):5.464512845609499
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:192:SQnBRNZ3YbBp6vR1+PaX06/x8lmxz9/3/7tQ5RHNBw8dkSl:Sgeg1r/xrt9CPwn0
                                                                                                                                                                                                                                                                                                                                                                              MD5:3D2714C0C5F91424DADDEA5386008978
                                                                                                                                                                                                                                                                                                                                                                              SHA1:A747BE4806A58C568D392CC0C97FE030DBFB45C8
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:05F02D1BD3BF004A261BCF6F332A1621D05C812AD1A1866DF5DFF933380F6947
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:C77DAD99FCF591C61FC2E370D50E5E078BDA273C0DB21A34E6E7ABD85FBDC1A7FFE90CC0D9557B420522092D274A586B4A0B8D3B2957E41B804D91D22A0AD8E4
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "ecedec8f-7097-47fc-a9e3-d74f0c8e2503");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734345331);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734345331);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734345331);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173434

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\prefs.js (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:ASCII text, with very long lines (1808), with CRLF line terminators
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):14172
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):5.464512845609499
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:192:SQnBRNZ3YbBp6vR1+PaX06/x8lmxz9/3/7tQ5RHNBw8dkSl:Sgeg1r/xrt9CPwn0
                                                                                                                                                                                                                                                                                                                                                                              MD5:3D2714C0C5F91424DADDEA5386008978
                                                                                                                                                                                                                                                                                                                                                                              SHA1:A747BE4806A58C568D392CC0C97FE030DBFB45C8
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:05F02D1BD3BF004A261BCF6F332A1621D05C812AD1A1866DF5DFF933380F6947
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:C77DAD99FCF591C61FC2E370D50E5E078BDA273C0DB21A34E6E7ABD85FBDC1A7FFE90CC0D9557B420522092D274A586B4A0B8D3B2957E41B804D91D22A0AD8E4
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "ecedec8f-7097-47fc-a9e3-d74f0c8e2503");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734345331);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734345331);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734345331);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173434

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\protections.sqlite

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):0.04062825861060003
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
                                                                                                                                                                                                                                                                                                                                                                              MD5:60C09456D6362C6FBED48C69AA342C3C
                                                                                                                                                                                                                                                                                                                                                                              SHA1:58B6E22DAA48C75958B429F662DEC1C011AE74D3
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\sessionCheckpoints.json (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):90
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.194538242412464
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
                                                                                                                                                                                                                                                                                                                                                                              MD5:C4AB2EE59CA41B6D6A6EA911F35BDC00
                                                                                                                                                                                                                                                                                                                                                                              SHA1:5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\sessionCheckpoints.json.tmp

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):90
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.194538242412464
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
                                                                                                                                                                                                                                                                                                                                                                              MD5:C4AB2EE59CA41B6D6A6EA911F35BDC00
                                                                                                                                                                                                                                                                                                                                                                              SHA1:5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\sessionstore-backups\recovery.baklz4 (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:Mozilla lz4 compressed data, originally 5861 bytes
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):1572
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):6.351519882224826
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:24:v+USUGlcAxSxypcLXnIgGI/pnxQwyLlscT5sB0n3eHVFseKuOWamhuj3IO7Um0WN:GUpOxYegnyLf/3eHOW4Y8N
                                                                                                                                                                                                                                                                                                                                                                              MD5:3F68014A3926C7C0B9CD8BA91BF34D5F
                                                                                                                                                                                                                                                                                                                                                                              SHA1:7A883D1E7F0700B38E2899F48DE9A3A1FC11953D
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:F68163E465B5334B3FE30CB1C4807EADCC7CF768CE8797088194E0E9999DAA31
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:148C5145FE2280E8DC6853B1AD71E59936C1FA321F03B24A1AFB568B98C77452BF1FACE8DD8E98BD0D69841D837E321AE3965B9D8728798FA6172AF700B787E9
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{c6bf7730-7ab6-468b-bf70-3178b5370c4a}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734345336944,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ..],"_lastC..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...f44a76a6-556e-4dc8-8bf2-cf26f02d08a[..zD..1...Wm..l........j..:....1":{..jUpdate...5,"startTim..P00616...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A93e1b9c34761ff8e8daa914c9d20b354e9b09a60c2e612021388b36b843ead3e","path":"/","na..`"taarI!.bsecure...,`.Donly..fexpiry...05937,"originA...

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:Mozilla lz4 compressed data, originally 5861 bytes
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):1572
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):6.351519882224826
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:24:v+USUGlcAxSxypcLXnIgGI/pnxQwyLlscT5sB0n3eHVFseKuOWamhuj3IO7Um0WN:GUpOxYegnyLf/3eHOW4Y8N
                                                                                                                                                                                                                                                                                                                                                                              MD5:3F68014A3926C7C0B9CD8BA91BF34D5F
                                                                                                                                                                                                                                                                                                                                                                              SHA1:7A883D1E7F0700B38E2899F48DE9A3A1FC11953D
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:F68163E465B5334B3FE30CB1C4807EADCC7CF768CE8797088194E0E9999DAA31
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:148C5145FE2280E8DC6853B1AD71E59936C1FA321F03B24A1AFB568B98C77452BF1FACE8DD8E98BD0D69841D837E321AE3965B9D8728798FA6172AF700B787E9
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{c6bf7730-7ab6-468b-bf70-3178b5370c4a}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734345336944,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ..],"_lastC..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...f44a76a6-556e-4dc8-8bf2-cf26f02d08a[..zD..1...Wm..l........j..:....1":{..jUpdate...5,"startTim..P00616...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A93e1b9c34761ff8e8daa914c9d20b354e9b09a60c2e612021388b36b843ead3e","path":"/","na..`"taarI!.bsecure...,`.Donly..fexpiry...05937,"originA...

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\sessionstore-backups\recovery.jsonlz4.tmp

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:Mozilla lz4 compressed data, originally 5861 bytes
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):1572
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):6.351519882224826
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:24:v+USUGlcAxSxypcLXnIgGI/pnxQwyLlscT5sB0n3eHVFseKuOWamhuj3IO7Um0WN:GUpOxYegnyLf/3eHOW4Y8N
                                                                                                                                                                                                                                                                                                                                                                              MD5:3F68014A3926C7C0B9CD8BA91BF34D5F
                                                                                                                                                                                                                                                                                                                                                                              SHA1:7A883D1E7F0700B38E2899F48DE9A3A1FC11953D
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:F68163E465B5334B3FE30CB1C4807EADCC7CF768CE8797088194E0E9999DAA31
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:148C5145FE2280E8DC6853B1AD71E59936C1FA321F03B24A1AFB568B98C77452BF1FACE8DD8E98BD0D69841D837E321AE3965B9D8728798FA6172AF700B787E9
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{c6bf7730-7ab6-468b-bf70-3178b5370c4a}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734345336944,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ..],"_lastC..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...f44a76a6-556e-4dc8-8bf2-cf26f02d08a[..zD..1...Wm..l........j..:....1":{..jUpdate...5,"startTim..P00616...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A93e1b9c34761ff8e8daa914c9d20b354e9b09a60c2e612021388b36b843ead3e","path":"/","na..`"taarI!.bsecure...,`.Donly..fexpiry...05937,"originA...

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage.sqlite

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):4096
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):2.0836444556178684
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
                                                                                                                                                                                                                                                                                                                                                                              MD5:8B40B1534FF0F4B533AF767EB5639A05
                                                                                                                                                                                                                                                                                                                                                                              SHA1:63EDB539EA39AD09D701A36B535C4C087AE08CC9
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\targeting.snapshot.json (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):4537
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):5.031482224448254
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:96:ycNNTEr5V/F/4U2zzcbvbw6KkOrc2Rn27:pTEr5VN/4U2z1phRe
                                                                                                                                                                                                                                                                                                                                                                              MD5:8DA538449928085A23712A8D03BA4FF8
                                                                                                                                                                                                                                                                                                                                                                              SHA1:904AA57E64E3461C765CE10A4E9278148E5533C1
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:EB4F3319570BEE4E3D841B88A21149848920431B4EFE7FF2F2B33A8EC1965A32
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:2FB0778E118DDCA540BFD77E1C12B70F1EA91E4EE8D9C103C1C348ED457DD6120265C22BE5E9431149B432BFA3615FBF74A59B279758F4DC5B7EC95691547681
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-16T10:35:17.478Z","profileAgeCreated":1696499488915,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\targeting.snapshot.json.tmp

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):4537
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):5.031482224448254
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:96:ycNNTEr5V/F/4U2zzcbvbw6KkOrc2Rn27:pTEr5VN/4U2z1phRe
                                                                                                                                                                                                                                                                                                                                                                              MD5:8DA538449928085A23712A8D03BA4FF8
                                                                                                                                                                                                                                                                                                                                                                              SHA1:904AA57E64E3461C765CE10A4E9278148E5533C1
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:EB4F3319570BEE4E3D841B88A21149848920431B4EFE7FF2F2B33A8EC1965A32
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:2FB0778E118DDCA540BFD77E1C12B70F1EA91E4EE8D9C103C1C348ED457DD6120265C22BE5E9431149B432BFA3615FBF74A59B279758F4DC5B7EC95691547681
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-16T10:35:17.478Z","profileAgeCreated":1696499488915,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

                                                                                                                                                                                                                                                                                                                                                                              Static File Info

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):6.703271648634464
                                                                                                                                                                                                                                                                                                                                                                              TrID:
                                                                                                                                                                                                                                                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                                                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                                                                                                                                              File name:P0HV8mjHS1.exe
                                                                                                                                                                                                                                                                                                                                                                              File size:970'752 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5:1d201eba6524ce8727dadf2031fc2b4a
                                                                                                                                                                                                                                                                                                                                                                              SHA1:dc6d2a38a1a9a1b8d934c565eaf027e0c7328980
                                                                                                                                                                                                                                                                                                                                                                              SHA256:1d010229450de58155efd24ab76f0d4fa00b7da73e48f93a5660d2a5a9714881
                                                                                                                                                                                                                                                                                                                                                                              SHA512:97db4a138f12ea31377017d7dabbbd60a3332fb631d9fe295c4e8ff8b455d270489896c9a085462e29063721b64f78aca40f4812ae41204b28c1aafef592a4a2
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:24576:yqDEvCTbMWu7rQYlBQcBiT6rprG8a0hQ:yTvC/MTQYxsWR7a0
                                                                                                                                                                                                                                                                                                                                                                              TLSH:8425AE0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
                                                                                                                                                                                                                                                                                                                                                                              File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                                                                                                                                                                                                                                                                                                                                              File Icon

                                                                                                                                                                                                                                                                                                                                                                              Icon Hash:aaf3e3e3938382a0

                                                                                                                                                                                                                                                                                                                                                                              Static PE Info

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Entrypoint:0x420577
                                                                                                                                                                                                                                                                                                                                                                              Entrypoint Section:.text
                                                                                                                                                                                                                                                                                                                                                                              Digitally signed:false
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                                                                                                                                                                              Subsystem:windows gui
                                                                                                                                                                                                                                                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                                                                                                                                                                                                                                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                                                                                                                                              Time Stamp:0x675EF539 [Sun Dec 15 15:26:49 2024 UTC]
                                                                                                                                                                                                                                                                                                                                                                              TLS Callbacks:
                                                                                                                                                                                                                                                                                                                                                                              CLR (.Net) Version:
                                                                                                                                                                                                                                                                                                                                                                              OS Version Major:5
                                                                                                                                                                                                                                                                                                                                                                              OS Version Minor:1
                                                                                                                                                                                                                                                                                                                                                                              File Version Major:5
                                                                                                                                                                                                                                                                                                                                                                              File Version Minor:1
                                                                                                                                                                                                                                                                                                                                                                              Subsystem Version Major:5
                                                                                                                                                                                                                                                                                                                                                                              Subsystem Version Minor:1
                                                                                                                                                                                                                                                                                                                                                                              Import Hash:948cc502fe9226992dce9417f952fce3

                                                                                                                                                                                                                                                                                                                                                                              Entrypoint Preview

                                                                                                                                                                                                                                                                                                                                                                              Instruction
                                                                                                                                                                                                                                                                                                                                                                              call 00007FF7646E3413h
                                                                                                                                                                                                                                                                                                                                                                              jmp 00007FF7646E2D1Fh
                                                                                                                                                                                                                                                                                                                                                                              push ebp
                                                                                                                                                                                                                                                                                                                                                                              mov ebp, esp
                                                                                                                                                                                                                                                                                                                                                                              push esi
                                                                                                                                                                                                                                                                                                                                                                              push dword ptr [ebp+08h]
                                                                                                                                                                                                                                                                                                                                                                              mov esi, ecx
                                                                                                                                                                                                                                                                                                                                                                              call 00007FF7646E2EFDh
                                                                                                                                                                                                                                                                                                                                                                              mov dword ptr [esi], 0049FDF0h
                                                                                                                                                                                                                                                                                                                                                                              mov eax, esi
                                                                                                                                                                                                                                                                                                                                                                              pop esi
                                                                                                                                                                                                                                                                                                                                                                              pop ebp
                                                                                                                                                                                                                                                                                                                                                                              retn 0004h
                                                                                                                                                                                                                                                                                                                                                                              and dword ptr [ecx+04h], 00000000h
                                                                                                                                                                                                                                                                                                                                                                              mov eax, ecx
                                                                                                                                                                                                                                                                                                                                                                              and dword ptr [ecx+08h], 00000000h
                                                                                                                                                                                                                                                                                                                                                                              mov dword ptr [ecx+04h], 0049FDF8h
                                                                                                                                                                                                                                                                                                                                                                              mov dword ptr [ecx], 0049FDF0h
                                                                                                                                                                                                                                                                                                                                                                              ret
                                                                                                                                                                                                                                                                                                                                                                              push ebp
                                                                                                                                                                                                                                                                                                                                                                              mov ebp, esp
                                                                                                                                                                                                                                                                                                                                                                              push esi
                                                                                                                                                                                                                                                                                                                                                                              push dword ptr [ebp+08h]
                                                                                                                                                                                                                                                                                                                                                                              mov esi, ecx
                                                                                                                                                                                                                                                                                                                                                                              call 00007FF7646E2ECAh
                                                                                                                                                                                                                                                                                                                                                                              mov dword ptr [esi], 0049FE0Ch
                                                                                                                                                                                                                                                                                                                                                                              mov eax, esi
                                                                                                                                                                                                                                                                                                                                                                              pop esi
                                                                                                                                                                                                                                                                                                                                                                              pop ebp
                                                                                                                                                                                                                                                                                                                                                                              retn 0004h
                                                                                                                                                                                                                                                                                                                                                                              and dword ptr [ecx+04h], 00000000h
                                                                                                                                                                                                                                                                                                                                                                              mov eax, ecx
                                                                                                                                                                                                                                                                                                                                                                              and dword ptr [ecx+08h], 00000000h
                                                                                                                                                                                                                                                                                                                                                                              mov dword ptr [ecx+04h], 0049FE14h
                                                                                                                                                                                                                                                                                                                                                                              mov dword ptr [ecx], 0049FE0Ch
                                                                                                                                                                                                                                                                                                                                                                              ret
                                                                                                                                                                                                                                                                                                                                                                              push ebp
                                                                                                                                                                                                                                                                                                                                                                              mov ebp, esp
                                                                                                                                                                                                                                                                                                                                                                              push esi
                                                                                                                                                                                                                                                                                                                                                                              mov esi, ecx
                                                                                                                                                                                                                                                                                                                                                                              lea eax, dword ptr [esi+04h]
                                                                                                                                                                                                                                                                                                                                                                              mov dword ptr [esi], 0049FDD0h
                                                                                                                                                                                                                                                                                                                                                                              and dword ptr [eax], 00000000h
                                                                                                                                                                                                                                                                                                                                                                              and dword ptr [eax+04h], 00000000h
                                                                                                                                                                                                                                                                                                                                                                              push eax
                                                                                                                                                                                                                                                                                                                                                                              mov eax, dword ptr [ebp+08h]
                                                                                                                                                                                                                                                                                                                                                                              add eax, 04h
                                                                                                                                                                                                                                                                                                                                                                              push eax
                                                                                                                                                                                                                                                                                                                                                                              call 00007FF7646E5ABDh
                                                                                                                                                                                                                                                                                                                                                                              pop ecx
                                                                                                                                                                                                                                                                                                                                                                              pop ecx
                                                                                                                                                                                                                                                                                                                                                                              mov eax, esi
                                                                                                                                                                                                                                                                                                                                                                              pop esi
                                                                                                                                                                                                                                                                                                                                                                              pop ebp
                                                                                                                                                                                                                                                                                                                                                                              retn 0004h
                                                                                                                                                                                                                                                                                                                                                                              lea eax, dword ptr [ecx+04h]
                                                                                                                                                                                                                                                                                                                                                                              mov dword ptr [ecx], 0049FDD0h
                                                                                                                                                                                                                                                                                                                                                                              push eax
                                                                                                                                                                                                                                                                                                                                                                              call 00007FF7646E5B08h
                                                                                                                                                                                                                                                                                                                                                                              pop ecx
                                                                                                                                                                                                                                                                                                                                                                              ret
                                                                                                                                                                                                                                                                                                                                                                              push ebp
                                                                                                                                                                                                                                                                                                                                                                              mov ebp, esp
                                                                                                                                                                                                                                                                                                                                                                              push esi
                                                                                                                                                                                                                                                                                                                                                                              mov esi, ecx
                                                                                                                                                                                                                                                                                                                                                                              lea eax, dword ptr [esi+04h]
                                                                                                                                                                                                                                                                                                                                                                              mov dword ptr [esi], 0049FDD0h
                                                                                                                                                                                                                                                                                                                                                                              push eax
                                                                                                                                                                                                                                                                                                                                                                              call 00007FF7646E5AF1h
                                                                                                                                                                                                                                                                                                                                                                              test byte ptr [ebp+08h], 00000001h
                                                                                                                                                                                                                                                                                                                                                                              pop ecx

                                                                                                                                                                                                                                                                                                                                                                              Rich Headers

                                                                                                                                                                                                                                                                                                                                                                              Programming Language:
                                                                                                                                                                                                                                                                                                                                                                              • [ C ] VS2008 SP1 build 30729
                                                                                                                                                                                                                                                                                                                                                                              • [IMP] VS2008 SP1 build 30729

                                                                                                                                                                                                                                                                                                                                                                              Data Directories

                                                                                                                                                                                                                                                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x16520.rsrc
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xeb0000x7594.reloc
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                                                                                                                                              Sections

                                                                                                                                                                                                                                                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                                                                                                                                              .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                                                                                                                              .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                                                                                                                              .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                                                                                                                              .rsrc0xd40000x165200x166002add8f91be40f4c34d2499a56a6076e4False0.7037032995810056data7.176189251970027IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                                                                                                                              .reloc0xeb0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                                                                                                                                              Resources

                                                                                                                                                                                                                                                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                                                                                                                                              RT_ICON0xd45f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                                                                                                                                                                                                                                                                                              RT_ICON0xd47180x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                                                                                                                                                                                                                                                                                              RT_ICON0xd48400x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                                                                                                                                                                                                                                                                              RT_ICON0xd49680x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                                                                                                                                                                                                                                                                                                              RT_ICON0xd4c500x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                                                                                                                                                                                                                                                                                                              RT_ICON0xd4d780xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                                                                                                                                                                                                                                                                                                              RT_ICON0xd5c200x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                                                                                                                                                                                                                                                                                                              RT_ICON0xd64c80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                                                                                                                                                                                                                                                                                                              RT_ICON0xd6a300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                                                                                                                                                                                                                                                                                                              RT_ICON0xd8fd80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                                                                                                                                                                                                                                                                                                              RT_ICON0xda0800x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                                                                                                                                                                                                                                                                                                              RT_MENU0xda4e80x50dataEnglishGreat Britain0.9
                                                                                                                                                                                                                                                                                                                                                                              RT_DIALOG0xda5380xfcdataEnglishGreat Britain0.6507936507936508
                                                                                                                                                                                                                                                                                                                                                                              RT_STRING0xda6340x594dataEnglishGreat Britain0.3333333333333333
                                                                                                                                                                                                                                                                                                                                                                              RT_STRING0xdabc80x68adataEnglishGreat Britain0.2735961768219833
                                                                                                                                                                                                                                                                                                                                                                              RT_STRING0xdb2540x490dataEnglishGreat Britain0.3715753424657534
                                                                                                                                                                                                                                                                                                                                                                              RT_STRING0xdb6e40x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                                                                                                                                                                                                                                                                              RT_STRING0xdbce00x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                                                                                                                                                                                                                                                                              RT_STRING0xdc33c0x466dataEnglishGreat Britain0.3605683836589698
                                                                                                                                                                                                                                                                                                                                                                              RT_STRING0xdc7a40x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                                                                                                                                                                                                                                                                                              RT_RCDATA0xdc8fc0xd6a2data1.0004731918611
                                                                                                                                                                                                                                                                                                                                                                              RT_GROUP_ICON0xe9fa00x76dataEnglishGreat Britain0.6610169491525424
                                                                                                                                                                                                                                                                                                                                                                              RT_GROUP_ICON0xea0180x14dataEnglishGreat Britain1.25
                                                                                                                                                                                                                                                                                                                                                                              RT_GROUP_ICON0xea02c0x14dataEnglishGreat Britain1.15
                                                                                                                                                                                                                                                                                                                                                                              RT_GROUP_ICON0xea0400x14dataEnglishGreat Britain1.25
                                                                                                                                                                                                                                                                                                                                                                              RT_VERSION0xea0540xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                                                                                                                                                                                                                                                                                              RT_MANIFEST0xea1300x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                                                                                                                                                                                                                                                                                                              Imports

                                                                                                                                                                                                                                                                                                                                                                              DLLImport
                                                                                                                                                                                                                                                                                                                                                                              WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                                                                                                                                                                                                                                                                                                                                              VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                                                                                                                                                                                                                                                                                                                              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                                                                                                                                                                                                                                                                              COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                                                                                                                                                                                                                                                                                                              MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                                                                                                                                                                                                                                                                                                                                              WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                                                                                                                                                                                                                                                                                                                                              PSAPI.DLLGetProcessMemoryInfo
                                                                                                                                                                                                                                                                                                                                                                              IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                                                                                                                                                                                                                                                                                                                                              USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                                                                                                                                                                                                                                                                                                                                              UxTheme.dllIsThemeActive
                                                                                                                                                                                                                                                                                                                                                                              KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                                                                                                                                                                                                                                                                                                                                              USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                                                                                                                                                                                                                                                                                                                                              GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                                                                                                                                                                                                                                                                                                                                              COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                                                                                                                                                                                                                                                                                              ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                                                                                                                                                                                                                                                                                                                                              SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                                                                                                                                                                                                                                                                                                                                              ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                                                                                                                                                                                                                                                                                                                              OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                                                                                                                                                                                                                                                                                                                                              Possible Origin

                                                                                                                                                                                                                                                                                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                                                                                                                                                              EnglishGreat Britain

                                                                                                                                                                                                                                                                                                                                                                              Network Behavior

                                                                                                                                                                                                                                                                                                                                                                              Network Port Distribution

                                                                                                                                                                                                                                                                                                                                                                              TCP Packets

                                                                                                                                                                                                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.575678110 CET4973480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.576755047 CET49735443192.168.2.10142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.576801062 CET44349735142.250.181.78192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.577006102 CET49736443192.168.2.10142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.577018976 CET44349736142.250.181.78192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.577486992 CET49735443192.168.2.10142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.577529907 CET49736443192.168.2.10142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.582963943 CET49735443192.168.2.10142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.582982063 CET44349735142.250.181.78192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.584490061 CET49736443192.168.2.10142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.584503889 CET44349736142.250.181.78192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.584805965 CET49737443192.168.2.1035.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.584835052 CET4434973735.190.72.216192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.585014105 CET49737443192.168.2.1035.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.586541891 CET49737443192.168.2.1035.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.586551905 CET4434973735.190.72.216192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.695375919 CET804973434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.695554972 CET4973480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.695729971 CET4973480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.815498114 CET804973434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.919667006 CET49738443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.919688940 CET4434973835.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.923171997 CET49738443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.923330069 CET49738443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.923338890 CET4434973835.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.925007105 CET49739443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.925014973 CET4434973934.117.188.166192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.925313950 CET49739443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.926683903 CET49739443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.926696062 CET4434973934.117.188.166192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.489372969 CET49741443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.489474058 CET4434974134.117.188.166192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.491014957 CET49741443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.492367029 CET49741443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.492378950 CET4434974134.117.188.166192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.636195898 CET49742443192.168.2.1034.160.144.191
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.636250973 CET4434974234.160.144.191192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.636385918 CET49742443192.168.2.1034.160.144.191
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.636542082 CET49742443192.168.2.1034.160.144.191
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.636559963 CET4434974234.160.144.191192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.781326056 CET804973434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.804620028 CET4434973735.190.72.216192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.811346054 CET4434973735.190.72.216192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.831803083 CET4973480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.831804037 CET49737443192.168.2.1035.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.840070009 CET49737443192.168.2.1035.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.840075970 CET4434973735.190.72.216192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.840292931 CET49737443192.168.2.1035.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.840312004 CET4434973735.190.72.216192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.840327978 CET4434973735.190.72.216192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.841202021 CET49737443192.168.2.1035.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.140162945 CET4434973835.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.153862953 CET4434973934.117.188.166192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.154787064 CET49738443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.156347036 CET49739443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.189229965 CET49738443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.189243078 CET4434973835.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.190140963 CET4434973835.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.193109035 CET49738443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.193480968 CET49738443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.193547010 CET4434973835.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.195092916 CET49738443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.195092916 CET49738443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.195382118 CET49739443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.195391893 CET4434973934.117.188.166192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.195441008 CET49739443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.196007013 CET4434973934.117.188.166192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.199160099 CET4973480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.205576897 CET49739443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.284281969 CET44349736142.250.181.78192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.285064936 CET44349735142.250.181.78192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.285250902 CET49735443192.168.2.10142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.285271883 CET49736443192.168.2.10142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.285371065 CET44349736142.250.181.78192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.285768986 CET44349735142.250.181.78192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.286988974 CET49736443192.168.2.10142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.287137985 CET49735443192.168.2.10142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.292119026 CET49736443192.168.2.10142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.292136908 CET44349736142.250.181.78192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.292330027 CET49736443192.168.2.10142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.292334080 CET44349736142.250.181.78192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.292349100 CET44349736142.250.181.78192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.292510033 CET49735443192.168.2.10142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.292529106 CET44349735142.250.181.78192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.292582989 CET49735443192.168.2.10142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.292731047 CET44349735142.250.181.78192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.292848110 CET49735443192.168.2.10142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.319798946 CET804973434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.319868088 CET4973480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.374100924 CET4974880192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.374221087 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.493942022 CET804974834.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.493957043 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.499341011 CET44349736142.250.181.78192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.503204107 CET49736443192.168.2.10142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.503204107 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.503217936 CET4974880192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.503408909 CET4974880192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.503544092 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.623079062 CET804974834.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.623249054 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.717294931 CET4434974134.117.188.166192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.717379093 CET49741443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.722368002 CET49741443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.722388029 CET4434974134.117.188.166192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.722459078 CET49741443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.722599030 CET4434974134.117.188.166192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.723187923 CET49741443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.854190111 CET4434974234.160.144.191192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.854263067 CET49742443192.168.2.1034.160.144.191
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.873209953 CET49742443192.168.2.1034.160.144.191
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.873234034 CET4434974234.160.144.191192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.873533010 CET4434974234.160.144.191192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.876135111 CET49742443192.168.2.1034.160.144.191
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.876219034 CET49742443192.168.2.1034.160.144.191
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.876281023 CET4434974234.160.144.191192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.876346111 CET49742443192.168.2.1034.160.144.191
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.056402922 CET49751443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.056457996 CET4434975134.117.188.166192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.056725025 CET49751443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.058191061 CET49751443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.058212042 CET4434975134.117.188.166192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.587610960 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.591360092 CET804974834.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.592358112 CET4974880192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.645720959 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.957986116 CET49753443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.958030939 CET4434975334.107.243.93192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.958950043 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.960525990 CET49753443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.962059021 CET49753443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.962075949 CET4434975334.107.243.93192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:57.078687906 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:57.080656052 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:57.080851078 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:57.200517893 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:57.284688950 CET4434975134.117.188.166192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:57.286040068 CET49751443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:57.291321039 CET49751443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:57.291335106 CET4434975134.117.188.166192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:57.291488886 CET49751443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:57.291611910 CET4434975134.117.188.166192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:57.292037010 CET49758443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:57.292092085 CET4434975834.117.188.166192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:57.293055058 CET49751443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:57.293149948 CET49758443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:57.295217037 CET49758443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:57.295238018 CET4434975834.117.188.166192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:58.166661978 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:58.180119991 CET4434975334.107.243.93192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:58.180200100 CET49753443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:58.184880972 CET49753443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:58.184892893 CET4434975334.107.243.93192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:58.184941053 CET49753443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:58.185189962 CET4434975334.107.243.93192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:58.185251951 CET49753443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:58.211728096 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:58.514873981 CET4434975834.117.188.166192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:58.516259909 CET49758443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:58.520917892 CET49758443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:58.520936012 CET4434975834.117.188.166192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:58.521009922 CET49758443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:58.521141052 CET4434975834.117.188.166192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:58.522219896 CET49758443192.168.2.1034.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.796905041 CET49767443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.796961069 CET4434976734.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.797038078 CET49767443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.798738003 CET49767443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.798754930 CET4434976734.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.808202028 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.927876949 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.950032949 CET49769443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.950048923 CET4434976934.149.100.209192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.950112104 CET49769443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.951550007 CET49769443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.951560974 CET4434976934.149.100.209192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.952430010 CET49770443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.952471972 CET4434977035.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.952656031 CET49770443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.952656031 CET49770443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.952724934 CET4434977035.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:01.122091055 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:01.182578087 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.017596006 CET4434976734.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.023340940 CET4434976734.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.032073021 CET49767443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.037025928 CET49767443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.037034988 CET4434976734.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.037064075 CET49767443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.037231922 CET4434976734.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.037930965 CET49767443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.166589975 CET4434976934.149.100.209192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.168735981 CET4434977035.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.175329924 CET4434976934.149.100.209192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.175338030 CET4434977035.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.185622931 CET49769443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.185812950 CET49770443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.207128048 CET49770443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.207144976 CET4434977035.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.208049059 CET4434977035.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.263824940 CET49770443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.287075043 CET49769443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.287081003 CET49770443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.287106037 CET4434976934.149.100.209192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.287178040 CET49769443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.287352085 CET49770443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.287512064 CET4434976934.149.100.209192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.287693024 CET4434977035.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.291335106 CET49770443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:02.291338921 CET49769443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:04.529150009 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:04.651282072 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:04.847712994 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:04.849334955 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:04.911627054 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:04.969078064 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:04.994957924 CET49782443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:04.994981050 CET4434978234.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:04.995055914 CET49782443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:04.996877909 CET49782443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:04.996893883 CET4434978234.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:05.165278912 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:05.212661982 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:05.378580093 CET49784443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:05.378652096 CET4434978434.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:05.378801107 CET49785443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:05.378853083 CET4434978534.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:05.379007101 CET49784443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:05.379179955 CET49784443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:05.379187107 CET49785443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:05.379214048 CET4434978434.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:05.379331112 CET49785443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:05.379348040 CET4434978534.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:05.460519075 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:05.580353022 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:05.775178909 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:05.829792976 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:05.978413105 CET49788443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:05.978456974 CET4434978834.107.243.93192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:05.980350018 CET49788443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.214509010 CET4434978234.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.214611053 CET49782443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.590123892 CET4434978534.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.590199947 CET49785443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.597764969 CET4434978434.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.597865105 CET49784443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.687728882 CET49785443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.687755108 CET4434978534.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.688112974 CET4434978534.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.689917088 CET49784443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.689971924 CET4434978434.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.690970898 CET4434978434.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.691339016 CET49788443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.691373110 CET4434978834.107.243.93192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.695899010 CET49782443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.695919037 CET4434978234.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.696149111 CET49782443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.696165085 CET4434978234.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.696293116 CET49785443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.696394920 CET49785443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.696413994 CET49784443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.696475983 CET49784443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.696507931 CET4434978534.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.696552992 CET49782443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.696682930 CET49785443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.696980953 CET4434978434.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.697046995 CET49784443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.991801023 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.993509054 CET49791443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.993552923 CET4434979134.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.995152950 CET49791443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:07.031218052 CET49791443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:07.031238079 CET4434979134.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:07.112077951 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:07.306010008 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:07.365665913 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:07.903191090 CET4434978834.107.243.93192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:07.903307915 CET49788443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:08.258008957 CET4434979134.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:08.258189917 CET49791443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:08.628768921 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:08.749924898 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:08.944520950 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:08.985929966 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:09.422735929 CET49788443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:09.422735929 CET49788443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:09.422816038 CET4434978834.107.243.93192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:09.423187971 CET4434978834.107.243.93192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:09.429728985 CET49791443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:09.429728985 CET49791443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:09.429750919 CET4434979134.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:09.429934978 CET49788443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:09.430093050 CET4434979134.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:09.430300951 CET49791443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:11.041141033 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:11.161159992 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:11.355268002 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:11.408634901 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:11.694981098 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:11.814841032 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:12.009720087 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:12.063908100 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.279501915 CET49822443192.168.2.1035.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.279551029 CET4434982235.190.72.216192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.291347027 CET49822443192.168.2.1035.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.293778896 CET49822443192.168.2.1035.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.293797016 CET4434982235.190.72.216192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.295803070 CET49823443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.295820951 CET4434982334.149.100.209192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.296875000 CET49823443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.297137976 CET49823443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.297151089 CET4434982334.149.100.209192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.377098083 CET49824443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.377132893 CET4434982435.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.377427101 CET49824443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.377577066 CET49824443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.377582073 CET4434982435.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.491134882 CET49826443192.168.2.10151.101.1.91
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.491175890 CET44349826151.101.1.91192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.491336107 CET49826443192.168.2.10151.101.1.91
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.491892099 CET49826443192.168.2.10151.101.1.91
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.491904974 CET44349826151.101.1.91192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.587462902 CET49827443192.168.2.1035.201.103.21
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.587521076 CET4434982735.201.103.21192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.588320971 CET49827443192.168.2.1035.201.103.21
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.590398073 CET49827443192.168.2.1035.201.103.21
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.590413094 CET4434982735.201.103.21192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.299503088 CET49829443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.299551964 CET4434982934.107.243.93192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.299757004 CET49829443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.301904917 CET49829443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.301919937 CET4434982934.107.243.93192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.363339901 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.483123064 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.508023024 CET4434982334.149.100.209192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.508094072 CET4434982235.190.72.216192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.508116961 CET4434982235.190.72.216192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.508117914 CET49823443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.508299112 CET49822443192.168.2.1035.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.512052059 CET49823443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.512065887 CET4434982334.149.100.209192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.512547016 CET4434982334.149.100.209192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.518153906 CET49823443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.518330097 CET49823443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.518413067 CET4434982334.149.100.209192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.519179106 CET49832443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.519217968 CET4434983234.149.100.209192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.519520044 CET49822443192.168.2.1035.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.519527912 CET4434982235.190.72.216192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.519639969 CET49822443192.168.2.1035.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.519876003 CET4434982235.190.72.216192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.521428108 CET49823443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.521429062 CET49822443192.168.2.1035.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.521449089 CET49832443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.521622896 CET49832443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.521641970 CET4434983234.149.100.209192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.523608923 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.588742971 CET4434982435.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.588829994 CET49824443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.592794895 CET49824443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.592803955 CET4434982435.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.593029976 CET4434982435.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.596057892 CET49824443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.596199989 CET4434982435.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.596224070 CET49824443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.596234083 CET4434982435.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.643579006 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.715475082 CET44349826151.101.1.91192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.715564966 CET49826443192.168.2.10151.101.1.91
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.719908953 CET49826443192.168.2.10151.101.1.91
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.719919920 CET44349826151.101.1.91192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.720283031 CET44349826151.101.1.91192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.722418070 CET49826443192.168.2.10151.101.1.91
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.722485065 CET49826443192.168.2.10151.101.1.91
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.722625017 CET44349826151.101.1.91192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.722707033 CET49826443192.168.2.10151.101.1.91
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.731019974 CET49833443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.731084108 CET4434983335.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.731336117 CET49833443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.731416941 CET49833443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.731427908 CET4434983335.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.734127045 CET49834443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.734175920 CET4434983435.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.734477043 CET49834443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.734684944 CET49834443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.734704018 CET4434983435.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.738048077 CET49835443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.738063097 CET4434983535.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.738493919 CET49835443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.738693953 CET49835443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.738708019 CET4434983535.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.803337097 CET4434982435.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.803426981 CET49824443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.806226969 CET4434982735.201.103.21192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.806323051 CET49827443192.168.2.1035.201.103.21
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.810364962 CET49827443192.168.2.1035.201.103.21
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.810376883 CET4434982735.201.103.21192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.810466051 CET49827443192.168.2.1035.201.103.21
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.810543060 CET4434982735.201.103.21192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.811429977 CET49827443192.168.2.1035.201.103.21
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.826414108 CET49837443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.826428890 CET4434983734.149.100.209192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.826735973 CET49837443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.826771975 CET49837443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.826781034 CET4434983734.149.100.209192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.837635040 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.841152906 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.882396936 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.961128950 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.155699968 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.196912050 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.513158083 CET4434982934.107.243.93192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.513336897 CET49829443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.518745899 CET49829443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.518745899 CET49829443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.518759012 CET4434982934.107.243.93192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.518946886 CET4434982934.107.243.93192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.519157887 CET49829443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.521419048 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.641185999 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.731303930 CET4434983234.149.100.209192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.731386900 CET49832443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.734895945 CET49832443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.734910011 CET4434983234.149.100.209192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.735172987 CET4434983234.149.100.209192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.738004923 CET49832443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.738147020 CET49832443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.738159895 CET4434983234.149.100.209192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.738295078 CET49832443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.835428953 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.838587999 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.883331060 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.945188999 CET4434983435.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.945272923 CET49834443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.948421955 CET49834443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.948436975 CET4434983435.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.948493004 CET4434983335.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.948697090 CET4434983435.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.948729038 CET49833443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.951018095 CET4434983535.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.951225996 CET49833443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.951246977 CET4434983335.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.951447964 CET49835443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.951600075 CET4434983335.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.954060078 CET49835443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.954077959 CET4434983535.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.954618931 CET4434983535.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.958093882 CET49834443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.958275080 CET49834443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.958283901 CET4434983435.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.958296061 CET4434983435.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.958345890 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.958901882 CET49833443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.958969116 CET49833443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.959454060 CET4434983335.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.959729910 CET49835443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.959822893 CET49835443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.960272074 CET4434983535.244.181.201192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.965111017 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.966489077 CET49833443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.966512918 CET49835443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.966589928 CET49834443192.168.2.1035.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.038011074 CET4434983734.149.100.209192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.038110018 CET49837443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.041610956 CET49837443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.041620970 CET4434983734.149.100.209192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.042004108 CET4434983734.149.100.209192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.044763088 CET49837443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.044899940 CET49837443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.045036077 CET4434983734.149.100.209192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.048293114 CET49837443192.168.2.1034.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.084933043 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.153635979 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.199821949 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.279174089 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.282648087 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.322297096 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.402940989 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.597245932 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.639072895 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:33.282768011 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:33.403362989 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:33.599428892 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:33.719230890 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:41.091428041 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:41.211482048 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:41.405356884 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:41.408659935 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:41.452744961 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:41.528647900 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:41.723278046 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:41.776036978 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:42.667268038 CET49887443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:42.667366028 CET4434988734.107.243.93192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:42.667725086 CET49887443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:42.669137955 CET49887443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:42.669156075 CET4434988734.107.243.93192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:44.041256905 CET4434988734.107.243.93192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:44.041356087 CET49887443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:44.045619965 CET49887443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:44.045633078 CET4434988734.107.243.93192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:44.045723915 CET49887443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:44.045872927 CET4434988734.107.243.93192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:44.045991898 CET49887443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:44.048804998 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:44.168576002 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:44.362835884 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:44.365964890 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:44.414935112 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:44.485743999 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:44.680393934 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:44.731345892 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:50.138632059 CET49907443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:50.138657093 CET4434990734.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:50.138740063 CET49907443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:50.138879061 CET49907443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:50.138889074 CET4434990734.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:50.153155088 CET49908443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:50.153181076 CET4434990834.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:50.154455900 CET49908443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:50.154597998 CET49908443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:50.154606104 CET4434990834.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.357043982 CET4434990734.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.357207060 CET49907443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.360646009 CET49907443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.360656023 CET4434990734.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.361069918 CET4434990734.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.363842010 CET49907443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.363989115 CET49907443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.364058971 CET4434990734.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.364200115 CET49907443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.365722895 CET4434990834.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.366991043 CET49908443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.371021986 CET49908443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.371043921 CET4434990834.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.371500969 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.371742010 CET4434990834.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.374435902 CET49908443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.374526024 CET49908443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.374651909 CET4434990834.120.208.123192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.375246048 CET49908443192.168.2.1034.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.491305113 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.685659885 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.691028118 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.735860109 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.810919046 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:52.006180048 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:52.052222013 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:01.696938038 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:01.816715956 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:02.013510942 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:02.134042978 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:11.826885939 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:11.946719885 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:12.143410921 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:12.263250113 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:21.956497908 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:22.076265097 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:22.272856951 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:22.392672062 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:24.270349979 CET49987443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:24.270458937 CET4434998734.107.243.93192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:24.271404982 CET49987443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:24.272974968 CET49987443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:24.273011923 CET4434998734.107.243.93192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:25.485306025 CET4434998734.107.243.93192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:25.485452890 CET49987443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:25.491584063 CET49987443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:25.491600990 CET4434998734.107.243.93192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:25.491677046 CET49987443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:25.491858006 CET4434998734.107.243.93192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:25.492563963 CET49987443192.168.2.1034.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:25.494445086 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:25.614304066 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:25.808125973 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:25.811867952 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:25.850415945 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:25.931772947 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:26.126329899 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:26.166974068 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:35.810894966 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:35.930679083 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:36.133974075 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:36.253792048 CET804975434.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:45.941428900 CET4974980192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:46.062716007 CET804974934.107.221.82192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:46.263752937 CET4975480192.168.2.1034.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:46.383699894 CET804975434.107.221.82192.168.2.10

                                                                                                                                                                                                                                                                                                                                                                              UDP Packets

                                                                                                                                                                                                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.436651945 CET5826053192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.437335014 CET5432153192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.574410915 CET53543211.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.575903893 CET5239653192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.578222990 CET5975753192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.579365969 CET6384553192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.712860107 CET53523961.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.714021921 CET4955953192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.715518951 CET53597571.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.716311932 CET6173853192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.717636108 CET53638451.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.718193054 CET6212353192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.778754950 CET5265353192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.834799051 CET4947153192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.851444006 CET53495591.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.853589058 CET53617381.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.859108925 CET53621231.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.918766975 CET53526531.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.920205116 CET5002753192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.925179005 CET6035653192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.971898079 CET53494711.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.062592030 CET53603561.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.068816900 CET5888153192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.143254042 CET53500271.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.145536900 CET5988853192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.206098080 CET53588811.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.282531023 CET53598881.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.490154028 CET6541653192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.494340897 CET5158353192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.630368948 CET53654161.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.631107092 CET5715153192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.635390043 CET53515831.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.636342049 CET6197053192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.777851105 CET53619701.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.780078888 CET5341953192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.916989088 CET53534191.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.971549034 CET53571511.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.196767092 CET6005853192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.196878910 CET5071253192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.235265970 CET5151753192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.333676100 CET53600581.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.334366083 CET53507121.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.349548101 CET6408153192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.984338045 CET6249353192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.016746044 CET53630391.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.121855021 CET53624931.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.123218060 CET5975353192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.260469913 CET53597531.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.261199951 CET5249253192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.399279118 CET53524921.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.635113955 CET5922753192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.773844957 CET53592271.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.782633066 CET5878453192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.799673080 CET6205653192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.811381102 CET6197553192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.824438095 CET6528553192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.937098026 CET53620561.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.937722921 CET6004753192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.949201107 CET53619751.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.963426113 CET53652851.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.964427948 CET5694553192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:01.075150967 CET53600471.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:01.102510929 CET53569451.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:01.107852936 CET5497053192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:01.120867014 CET53587841.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:01.121495008 CET5881153192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:01.248383999 CET53549701.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:01.261322975 CET53588111.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:05.978996038 CET6159053192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.115978956 CET53615901.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.994237900 CET6133753192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:07.131936073 CET53613371.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.716557980 CET4983353192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.717067003 CET6321753192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.717521906 CET5306553192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.854084969 CET53498331.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.854374886 CET53632171.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.855351925 CET53530651.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.855473995 CET6040653192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.856513023 CET6119853192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.856678009 CET6059153192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.992786884 CET53604061.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.993694067 CET5560453192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.994565964 CET53605911.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.995294094 CET6445253192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.079643965 CET53611981.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.080406904 CET5411853192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.131489038 CET53556041.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.133024931 CET5669453192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.133193970 CET53644521.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.134140968 CET5168553192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.217978954 CET53541181.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.271123886 CET53566941.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.272845984 CET53516851.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.278696060 CET5919253192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.279207945 CET6209753192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.416100979 CET53591921.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.416929007 CET5259553192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.417120934 CET53620971.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.418015957 CET5561953192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.554761887 CET53525951.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.555504084 CET53556191.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.256377935 CET4943353192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.296000004 CET5087053192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.376308918 CET6471253192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.489517927 CET53494331.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.491194963 CET6509453192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.514153004 CET53647121.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.582751036 CET53508701.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.588030100 CET5151653192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.630866051 CET53650941.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.631799936 CET6161153192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.725446939 CET53515161.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.726258993 CET5180053192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.768748999 CET53616111.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.865911961 CET53518001.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.300482988 CET6378753192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.438468933 CET53637871.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.523900032 CET5307753192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.965218067 CET5722153192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:41.092250109 CET6470053192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:42.528644085 CET4987153192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:42.666241884 CET53498711.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:42.667664051 CET5521853192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:42.805691004 CET53552181.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:50.138097048 CET5921253192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:50.276084900 CET53592121.1.1.1192.168.2.10
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:24.271300077 CET6519453192.168.2.101.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:24.409353971 CET53651941.1.1.1192.168.2.10

                                                                                                                                                                                                                                                                                                                                                                              DNS Queries

                                                                                                                                                                                                                                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.436651945 CET192.168.2.101.1.1.10x2464Standard query (0)detectportal.firefox.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.437335014 CET192.168.2.101.1.1.10xa155Standard query (0)youtube.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.575903893 CET192.168.2.101.1.1.10x8ad2Standard query (0)prod.detectportal.prod.cloudops.mozgcp.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.578222990 CET192.168.2.101.1.1.10xe609Standard query (0)youtube.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.579365969 CET192.168.2.101.1.1.10xd1cStandard query (0)prod.classify-client.prod.webservices.mozgcp.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.714021921 CET192.168.2.101.1.1.10x1902Standard query (0)prod.detectportal.prod.cloudops.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.716311932 CET192.168.2.101.1.1.10xd13cStandard query (0)youtube.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.718193054 CET192.168.2.101.1.1.10x17d3Standard query (0)prod.classify-client.prod.webservices.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.778754950 CET192.168.2.101.1.1.10xbb15Standard query (0)contile.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.834799051 CET192.168.2.101.1.1.10xb45cStandard query (0)spocs.getpocket.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.920205116 CET192.168.2.101.1.1.10xdc74Standard query (0)prod.balrog.prod.cloudops.mozgcp.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.925179005 CET192.168.2.101.1.1.10x3a5dStandard query (0)contile.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.068816900 CET192.168.2.101.1.1.10x21c6Standard query (0)contile.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.145536900 CET192.168.2.101.1.1.10x5cf4Standard query (0)prod.balrog.prod.cloudops.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.490154028 CET192.168.2.101.1.1.10x27a0Standard query (0)prod.ads.prod.webservices.mozgcp.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.494340897 CET192.168.2.101.1.1.10x62a4Standard query (0)content-signature-2.cdn.mozilla.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.631107092 CET192.168.2.101.1.1.10x51a1Standard query (0)prod.ads.prod.webservices.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.636342049 CET192.168.2.101.1.1.10xc23eStandard query (0)prod.content-signature-chains.prod.webservices.mozgcp.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.780078888 CET192.168.2.101.1.1.10x1185Standard query (0)prod.content-signature-chains.prod.webservices.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.196767092 CET192.168.2.101.1.1.10x5c39Standard query (0)example.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.196878910 CET192.168.2.101.1.1.10xbcc8Standard query (0)ipv4only.arpaA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.235265970 CET192.168.2.101.1.1.10x68ddStandard query (0)detectportal.firefox.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.349548101 CET192.168.2.101.1.1.10xcf8Standard query (0)shavar.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.984338045 CET192.168.2.101.1.1.10xd560Standard query (0)push.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.123218060 CET192.168.2.101.1.1.10xe6b5Standard query (0)push.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.261199951 CET192.168.2.101.1.1.10x75a9Standard query (0)push.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.635113955 CET192.168.2.101.1.1.10x2b46Standard query (0)support.mozilla.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.782633066 CET192.168.2.101.1.1.10x81f2Standard query (0)us-west1.prod.sumo.prod.webservices.mozgcp.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.799673080 CET192.168.2.101.1.1.10xdb68Standard query (0)telemetry-incoming.r53-2.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.811381102 CET192.168.2.101.1.1.10xb2b1Standard query (0)firefox.settings.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.824438095 CET192.168.2.101.1.1.10x5d3eStandard query (0)prod.balrog.prod.cloudops.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.937722921 CET192.168.2.101.1.1.10x76Standard query (0)telemetry-incoming.r53-2.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.964427948 CET192.168.2.101.1.1.10xa49dStandard query (0)prod.remote-settings.prod.webservices.mozgcp.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:01.107852936 CET192.168.2.101.1.1.10x391aStandard query (0)prod.remote-settings.prod.webservices.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:01.121495008 CET192.168.2.101.1.1.10xd858Standard query (0)us-west1.prod.sumo.prod.webservices.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:05.978996038 CET192.168.2.101.1.1.10x99fStandard query (0)push.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.994237900 CET192.168.2.101.1.1.10xd6c4Standard query (0)telemetry-incoming.r53-2.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.716557980 CET192.168.2.101.1.1.10x16b7Standard query (0)www.youtube.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.717067003 CET192.168.2.101.1.1.10x9bc7Standard query (0)www.facebook.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.717521906 CET192.168.2.101.1.1.10xdaedStandard query (0)www.wikipedia.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.855473995 CET192.168.2.101.1.1.10x7389Standard query (0)youtube-ui.l.google.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.856513023 CET192.168.2.101.1.1.10x7222Standard query (0)dyna.wikimedia.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.856678009 CET192.168.2.101.1.1.10xab9aStandard query (0)star-mini.c10r.facebook.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.993694067 CET192.168.2.101.1.1.10xcebdStandard query (0)youtube-ui.l.google.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.995294094 CET192.168.2.101.1.1.10xdfd2Standard query (0)star-mini.c10r.facebook.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.080406904 CET192.168.2.101.1.1.10xefefStandard query (0)dyna.wikimedia.org28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.133024931 CET192.168.2.101.1.1.10x4109Standard query (0)www.reddit.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.134140968 CET192.168.2.101.1.1.10xdac5Standard query (0)twitter.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.278696060 CET192.168.2.101.1.1.10x69cbStandard query (0)twitter.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.279207945 CET192.168.2.101.1.1.10x717Standard query (0)reddit.map.fastly.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.416929007 CET192.168.2.101.1.1.10x506aStandard query (0)twitter.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.418015957 CET192.168.2.101.1.1.10x3e07Standard query (0)reddit.map.fastly.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.256377935 CET192.168.2.101.1.1.10x411fStandard query (0)services.addons.mozilla.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.296000004 CET192.168.2.101.1.1.10xc47dStandard query (0)normandy.cdn.mozilla.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.376308918 CET192.168.2.101.1.1.10xce71Standard query (0)prod.balrog.prod.cloudops.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.491194963 CET192.168.2.101.1.1.10x5b67Standard query (0)services.addons.mozilla.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.588030100 CET192.168.2.101.1.1.10x5087Standard query (0)normandy-cdn.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.631799936 CET192.168.2.101.1.1.10xea2bStandard query (0)services.addons.mozilla.org28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.726258993 CET192.168.2.101.1.1.10x2f45Standard query (0)normandy-cdn.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.300482988 CET192.168.2.101.1.1.10xd955Standard query (0)push.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.523900032 CET192.168.2.101.1.1.10x4d50Standard query (0)detectportal.firefox.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.965218067 CET192.168.2.101.1.1.10xd897Standard query (0)detectportal.firefox.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:41.092250109 CET192.168.2.101.1.1.10x754Standard query (0)detectportal.firefox.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:42.528644085 CET192.168.2.101.1.1.10x9651Standard query (0)push.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:42.667664051 CET192.168.2.101.1.1.10x4bb2Standard query (0)push.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:50.138097048 CET192.168.2.101.1.1.10x54e8Standard query (0)telemetry-incoming.r53-2.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:24.271300077 CET192.168.2.101.1.1.10x7713Standard query (0)push.services.mozilla.com28IN (0x0001)false

                                                                                                                                                                                                                                                                                                                                                                              DNS Answers

                                                                                                                                                                                                                                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:42.863787889 CET1.1.1.1192.168.2.100xc696No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:42.863787889 CET1.1.1.1192.168.2.100xc696No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.573405027 CET1.1.1.1192.168.2.100x2464No error (0)detectportal.firefox.comdetectportal.prod.mozaws.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.573405027 CET1.1.1.1192.168.2.100x2464No error (0)prod.detectportal.prod.cloudops.mozgcp.net34.107.221.82A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.574410915 CET1.1.1.1192.168.2.100xa155No error (0)youtube.com142.250.181.78A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.574621916 CET1.1.1.1192.168.2.100x5878No error (0)prod.classify-client.prod.webservices.mozgcp.net35.190.72.216A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.712860107 CET1.1.1.1192.168.2.100x8ad2No error (0)prod.detectportal.prod.cloudops.mozgcp.net34.107.221.82A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.715518951 CET1.1.1.1192.168.2.100xe609No error (0)youtube.com142.250.181.78A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.717636108 CET1.1.1.1192.168.2.100xd1cNo error (0)prod.classify-client.prod.webservices.mozgcp.net35.190.72.216A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.851444006 CET1.1.1.1192.168.2.100x1902No error (0)prod.detectportal.prod.cloudops.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.853589058 CET1.1.1.1192.168.2.100xd13cNo error (0)youtube.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.914541006 CET1.1.1.1192.168.2.100x972eNo error (0)balrog-aus5.r53-2.services.mozilla.comprod.balrog.prod.cloudops.mozgcp.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.914541006 CET1.1.1.1192.168.2.100x972eNo error (0)prod.balrog.prod.cloudops.mozgcp.net35.244.181.201A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.918766975 CET1.1.1.1192.168.2.100xbb15No error (0)contile.services.mozilla.com34.117.188.166A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.971898079 CET1.1.1.1192.168.2.100xb45cNo error (0)spocs.getpocket.comprod.ads.prod.webservices.mozgcp.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.971898079 CET1.1.1.1192.168.2.100xb45cNo error (0)prod.ads.prod.webservices.mozgcp.net34.117.188.166A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.062592030 CET1.1.1.1192.168.2.100x3a5dNo error (0)contile.services.mozilla.com34.117.188.166A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.143254042 CET1.1.1.1192.168.2.100xdc74No error (0)prod.balrog.prod.cloudops.mozgcp.net35.244.181.201A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.630368948 CET1.1.1.1192.168.2.100x27a0No error (0)prod.ads.prod.webservices.mozgcp.net34.117.188.166A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.635390043 CET1.1.1.1192.168.2.100x62a4No error (0)content-signature-2.cdn.mozilla.netcontent-signature-chains.prod.autograph.services.mozaws.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.635390043 CET1.1.1.1192.168.2.100x62a4No error (0)content-signature-chains.prod.autograph.services.mozaws.netprod.content-signature-chains.prod.webservices.mozgcp.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.635390043 CET1.1.1.1192.168.2.100x62a4No error (0)prod.content-signature-chains.prod.webservices.mozgcp.net34.160.144.191A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.777851105 CET1.1.1.1192.168.2.100xc23eNo error (0)prod.content-signature-chains.prod.webservices.mozgcp.net34.160.144.191A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.916989088 CET1.1.1.1192.168.2.100x1185No error (0)prod.content-signature-chains.prod.webservices.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.333676100 CET1.1.1.1192.168.2.100x5c39No error (0)example.org93.184.215.14A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.334366083 CET1.1.1.1192.168.2.100xbcc8No error (0)ipv4only.arpa192.0.0.170A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.334366083 CET1.1.1.1192.168.2.100xbcc8No error (0)ipv4only.arpa192.0.0.171A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.372719049 CET1.1.1.1192.168.2.100x68ddNo error (0)detectportal.firefox.comdetectportal.prod.mozaws.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.372719049 CET1.1.1.1192.168.2.100x68ddNo error (0)prod.detectportal.prod.cloudops.mozgcp.net34.107.221.82A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.567666054 CET1.1.1.1192.168.2.100xcf8No error (0)shavar.services.mozilla.comshavar.prod.mozaws.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.121855021 CET1.1.1.1192.168.2.100xd560No error (0)push.services.mozilla.com34.107.243.93A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.260469913 CET1.1.1.1192.168.2.100xe6b5No error (0)push.services.mozilla.com34.107.243.93A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.773844957 CET1.1.1.1192.168.2.100x2b46No error (0)support.mozilla.orgprod.sumo.prod.webservices.mozgcp.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.773844957 CET1.1.1.1192.168.2.100x2b46No error (0)prod.sumo.prod.webservices.mozgcp.netus-west1.prod.sumo.prod.webservices.mozgcp.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.773844957 CET1.1.1.1192.168.2.100x2b46No error (0)us-west1.prod.sumo.prod.webservices.mozgcp.net34.149.128.2A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.796076059 CET1.1.1.1192.168.2.100x48ccNo error (0)telemetry-incoming.r53-2.services.mozilla.com34.120.208.123A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.937098026 CET1.1.1.1192.168.2.100xdb68No error (0)telemetry-incoming.r53-2.services.mozilla.com34.120.208.123A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.949201107 CET1.1.1.1192.168.2.100xb2b1No error (0)firefox.settings.services.mozilla.comprod.remote-settings.prod.webservices.mozgcp.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.949201107 CET1.1.1.1192.168.2.100xb2b1No error (0)prod.remote-settings.prod.webservices.mozgcp.net34.149.100.209A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.950239897 CET1.1.1.1192.168.2.100x2cb0No error (0)balrog-aus5.r53-2.services.mozilla.comprod.balrog.prod.cloudops.mozgcp.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.950239897 CET1.1.1.1192.168.2.100x2cb0No error (0)prod.balrog.prod.cloudops.mozgcp.net35.244.181.201A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:01.102510929 CET1.1.1.1192.168.2.100xa49dNo error (0)prod.remote-settings.prod.webservices.mozgcp.net34.149.100.209A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:01.120867014 CET1.1.1.1192.168.2.100x81f2No error (0)us-west1.prod.sumo.prod.webservices.mozgcp.net34.149.128.2A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:04.992599964 CET1.1.1.1192.168.2.100x742aNo error (0)telemetry-incoming.r53-2.services.mozilla.com34.120.208.123A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.854084969 CET1.1.1.1192.168.2.100x16b7No error (0)www.youtube.comyoutube-ui.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.854084969 CET1.1.1.1192.168.2.100x16b7No error (0)youtube-ui.l.google.com172.217.17.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.854084969 CET1.1.1.1192.168.2.100x16b7No error (0)youtube-ui.l.google.com142.250.181.78A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.854084969 CET1.1.1.1192.168.2.100x16b7No error (0)youtube-ui.l.google.com142.250.181.110A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.854084969 CET1.1.1.1192.168.2.100x16b7No error (0)youtube-ui.l.google.com172.217.19.238A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.854084969 CET1.1.1.1192.168.2.100x16b7No error (0)youtube-ui.l.google.com172.217.19.206A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.854084969 CET1.1.1.1192.168.2.100x16b7No error (0)youtube-ui.l.google.com216.58.208.238A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.854084969 CET1.1.1.1192.168.2.100x16b7No error (0)youtube-ui.l.google.com142.250.181.142A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.854084969 CET1.1.1.1192.168.2.100x16b7No error (0)youtube-ui.l.google.com172.217.17.78A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.854084969 CET1.1.1.1192.168.2.100x16b7No error (0)youtube-ui.l.google.com172.217.19.14A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.854374886 CET1.1.1.1192.168.2.100x9bc7No error (0)www.facebook.comstar-mini.c10r.facebook.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.854374886 CET1.1.1.1192.168.2.100x9bc7No error (0)star-mini.c10r.facebook.com157.240.195.35A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.855351925 CET1.1.1.1192.168.2.100xdaedNo error (0)www.wikipedia.orgdyna.wikimedia.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.855351925 CET1.1.1.1192.168.2.100xdaedNo error (0)dyna.wikimedia.org185.15.58.224A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.992786884 CET1.1.1.1192.168.2.100x7389No error (0)youtube-ui.l.google.com142.250.181.78A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.992786884 CET1.1.1.1192.168.2.100x7389No error (0)youtube-ui.l.google.com172.217.19.238A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.992786884 CET1.1.1.1192.168.2.100x7389No error (0)youtube-ui.l.google.com172.217.19.14A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.992786884 CET1.1.1.1192.168.2.100x7389No error (0)youtube-ui.l.google.com172.217.17.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.992786884 CET1.1.1.1192.168.2.100x7389No error (0)youtube-ui.l.google.com142.250.181.110A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.992786884 CET1.1.1.1192.168.2.100x7389No error (0)youtube-ui.l.google.com172.217.17.78A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.992786884 CET1.1.1.1192.168.2.100x7389No error (0)youtube-ui.l.google.com172.217.19.206A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.992786884 CET1.1.1.1192.168.2.100x7389No error (0)youtube-ui.l.google.com142.250.181.142A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.992786884 CET1.1.1.1192.168.2.100x7389No error (0)youtube-ui.l.google.com216.58.208.238A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:13.994565964 CET1.1.1.1192.168.2.100xab9aNo error (0)star-mini.c10r.facebook.com157.240.196.35A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.079643965 CET1.1.1.1192.168.2.100x7222No error (0)dyna.wikimedia.org185.15.58.224A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.131489038 CET1.1.1.1192.168.2.100xcebdNo error (0)youtube-ui.l.google.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.131489038 CET1.1.1.1192.168.2.100xcebdNo error (0)youtube-ui.l.google.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.131489038 CET1.1.1.1192.168.2.100xcebdNo error (0)youtube-ui.l.google.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.131489038 CET1.1.1.1192.168.2.100xcebdNo error (0)youtube-ui.l.google.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.133193970 CET1.1.1.1192.168.2.100xdfd2No error (0)star-mini.c10r.facebook.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.217978954 CET1.1.1.1192.168.2.100xefefNo error (0)dyna.wikimedia.org28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.271123886 CET1.1.1.1192.168.2.100x4109No error (0)www.reddit.comreddit.map.fastly.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.271123886 CET1.1.1.1192.168.2.100x4109No error (0)reddit.map.fastly.net151.101.65.140A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.271123886 CET1.1.1.1192.168.2.100x4109No error (0)reddit.map.fastly.net151.101.129.140A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.271123886 CET1.1.1.1192.168.2.100x4109No error (0)reddit.map.fastly.net151.101.193.140A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.271123886 CET1.1.1.1192.168.2.100x4109No error (0)reddit.map.fastly.net151.101.1.140A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.272845984 CET1.1.1.1192.168.2.100xdac5No error (0)twitter.com104.244.42.193A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.416100979 CET1.1.1.1192.168.2.100x69cbNo error (0)twitter.com104.244.42.193A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.417120934 CET1.1.1.1192.168.2.100x717No error (0)reddit.map.fastly.net151.101.129.140A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.417120934 CET1.1.1.1192.168.2.100x717No error (0)reddit.map.fastly.net151.101.65.140A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.417120934 CET1.1.1.1192.168.2.100x717No error (0)reddit.map.fastly.net151.101.1.140A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:14.417120934 CET1.1.1.1192.168.2.100x717No error (0)reddit.map.fastly.net151.101.193.140A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.364566088 CET1.1.1.1192.168.2.100xdee5No error (0)balrog-aus5.r53-2.services.mozilla.comprod.balrog.prod.cloudops.mozgcp.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.364566088 CET1.1.1.1192.168.2.100xdee5No error (0)prod.balrog.prod.cloudops.mozgcp.net35.244.181.201A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.489517927 CET1.1.1.1192.168.2.100x411fNo error (0)services.addons.mozilla.org151.101.1.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.489517927 CET1.1.1.1192.168.2.100x411fNo error (0)services.addons.mozilla.org151.101.129.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.489517927 CET1.1.1.1192.168.2.100x411fNo error (0)services.addons.mozilla.org151.101.193.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.489517927 CET1.1.1.1192.168.2.100x411fNo error (0)services.addons.mozilla.org151.101.65.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.582751036 CET1.1.1.1192.168.2.100xc47dNo error (0)normandy.cdn.mozilla.netnormandy-cdn.services.mozilla.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.582751036 CET1.1.1.1192.168.2.100xc47dNo error (0)normandy-cdn.services.mozilla.com35.201.103.21A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.630866051 CET1.1.1.1192.168.2.100x5b67No error (0)services.addons.mozilla.org151.101.65.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.630866051 CET1.1.1.1192.168.2.100x5b67No error (0)services.addons.mozilla.org151.101.193.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.630866051 CET1.1.1.1192.168.2.100x5b67No error (0)services.addons.mozilla.org151.101.129.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.630866051 CET1.1.1.1192.168.2.100x5b67No error (0)services.addons.mozilla.org151.101.1.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.725446939 CET1.1.1.1192.168.2.100x5087No error (0)normandy-cdn.services.mozilla.com35.201.103.21A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.768748999 CET1.1.1.1192.168.2.100xea2bNo error (0)services.addons.mozilla.org28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.768748999 CET1.1.1.1192.168.2.100xea2bNo error (0)services.addons.mozilla.org28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.768748999 CET1.1.1.1192.168.2.100xea2bNo error (0)services.addons.mozilla.org28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:20.768748999 CET1.1.1.1192.168.2.100xea2bNo error (0)services.addons.mozilla.org28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.661498070 CET1.1.1.1192.168.2.100x4d50No error (0)detectportal.firefox.comdetectportal.prod.mozaws.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.661498070 CET1.1.1.1192.168.2.100x4d50No error (0)prod.detectportal.prod.cloudops.mozgcp.net34.107.221.82A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.102718115 CET1.1.1.1192.168.2.100xd897No error (0)detectportal.firefox.comdetectportal.prod.mozaws.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.102718115 CET1.1.1.1192.168.2.100xd897No error (0)prod.detectportal.prod.cloudops.mozgcp.net34.107.221.82A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.555728912 CET1.1.1.1192.168.2.100xeb07No error (0)a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.coma17.rackcdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.555728912 CET1.1.1.1192.168.2.100xeb07No error (0)a17.rackcdn.coma17.rackcdn.com.mdc.edgesuite.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:41.230123997 CET1.1.1.1192.168.2.100x754No error (0)detectportal.firefox.comdetectportal.prod.mozaws.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:41.230123997 CET1.1.1.1192.168.2.100x754No error (0)prod.detectportal.prod.cloudops.mozgcp.net34.107.221.82A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:42.666241884 CET1.1.1.1192.168.2.100x9651No error (0)push.services.mozilla.com34.107.243.93A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                                                                                                                                                                                                                                                              • detectportal.firefox.com

                                                                                                                                                                                                                                                                                                                                                                              HTTP Packets

                                                                                                                                                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                                                              0192.168.2.104973434.107.221.82807332C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:53.695729971 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:54.781326056 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 14:40:27 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 67467
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>


                                                                                                                                                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                                                              1192.168.2.104974834.107.221.82807332C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.503408909 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.591360092 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 11:58:44 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 77172
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success


                                                                                                                                                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                                                              2192.168.2.104974934.107.221.82807332C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:55.503544092 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:56.587610960 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 10:09:25 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 83731
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:00.808202028 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:01.122091055 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 10:09:25 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 83735
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:04.849334955 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:05.165278912 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 10:09:25 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 83740
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:06.991801023 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:07.306010008 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 10:09:25 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 83742
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:11.041141033 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:11.355268002 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 10:09:25 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 83746
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.363339901 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.523608923 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.837635040 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 10:09:25 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 83756
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.521419048 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.835428953 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 10:09:25 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 83757
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.965111017 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.279174089 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 10:09:25 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 83758
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:33.282768011 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:41.091428041 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:41.405356884 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 10:09:25 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 83776
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:44.048804998 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:44.362835884 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 10:09:25 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 83779
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.371500969 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.685659885 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 10:09:25 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 83786
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:01.696938038 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:11.826885939 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:21.956497908 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:25.494445086 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:25.808125973 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 10:09:25 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 83820
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:35.810894966 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:45.941428900 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:


                                                                                                                                                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                                                              3192.168.2.104975434.107.221.82807332C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:57.080851078 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:24:58.166661978 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 85805
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:04.529150009 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:04.847712994 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 85811
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:05.460519075 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:05.775178909 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 85812
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:08.628768921 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:08.944520950 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 85815
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:11.694981098 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:12.009720087 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 85818
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:21.841152906 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.155699968 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 85828
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:22.838587999 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.153635979 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 85829
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.282648087 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:23.597245932 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 85830
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:33.599428892 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:41.408659935 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:41.723278046 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 85848
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:44.365964890 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:44.680393934 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 85851
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:51.691028118 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:25:52.006180048 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 85858
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:02.013510942 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:12.143410921 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:22.272856951 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:25.811867952 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:26.126329899 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 85892
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:36.133974075 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                              Dec 16, 2024 10:26:46.263752937 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:


                                                                                                                                                                                                                                                                                                                                                                              Statistics

                                                                                                                                                                                                                                                                                                                                                                              CPU Usage

                                                                                                                                                                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                                                                                                                                                                              Memory Usage

                                                                                                                                                                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                                                                                                                                                                              High Level Behavior Distribution

                                                                                                                                                                                                                                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                                                                                                                                                                                                                                              Behavior

                                                                                                                                                                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                                                                                                                                                                              System Behavior

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:0
                                                                                                                                                                                                                                                                                                                                                                              Start time:04:24:43
                                                                                                                                                                                                                                                                                                                                                                              Start date:16/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Users\user\Desktop\P0HV8mjHS1.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                                                              Commandline:"C:\Users\user\Desktop\P0HV8mjHS1.exe"
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0xbb0000
                                                                                                                                                                                                                                                                                                                                                                              File size:970'752 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:1D201EBA6524CE8727DADF2031FC2B4A
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:2
                                                                                                                                                                                                                                                                                                                                                                              Start time:04:24:43
                                                                                                                                                                                                                                                                                                                                                                              Start date:16/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                                                              Commandline:taskkill /F /IM firefox.exe /T
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x620000
                                                                                                                                                                                                                                                                                                                                                                              File size:74'240 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:3
                                                                                                                                                                                                                                                                                                                                                                              Start time:04:24:43
                                                                                                                                                                                                                                                                                                                                                                              Start date:16/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x7ff620390000
                                                                                                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:4
                                                                                                                                                                                                                                                                                                                                                                              Start time:04:24:46
                                                                                                                                                                                                                                                                                                                                                                              Start date:16/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                                                              Commandline:taskkill /F /IM chrome.exe /T
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x620000
                                                                                                                                                                                                                                                                                                                                                                              File size:74'240 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:5
                                                                                                                                                                                                                                                                                                                                                                              Start time:04:24:46
                                                                                                                                                                                                                                                                                                                                                                              Start date:16/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x7ff620390000
                                                                                                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:6
                                                                                                                                                                                                                                                                                                                                                                              Start time:04:24:46
                                                                                                                                                                                                                                                                                                                                                                              Start date:16/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                                                              Commandline:taskkill /F /IM msedge.exe /T
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x620000
                                                                                                                                                                                                                                                                                                                                                                              File size:74'240 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:7
                                                                                                                                                                                                                                                                                                                                                                              Start time:04:24:46
                                                                                                                                                                                                                                                                                                                                                                              Start date:16/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x7ff620390000
                                                                                                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:8
                                                                                                                                                                                                                                                                                                                                                                              Start time:04:24:46
                                                                                                                                                                                                                                                                                                                                                                              Start date:16/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                                                              Commandline:taskkill /F /IM opera.exe /T
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x620000
                                                                                                                                                                                                                                                                                                                                                                              File size:74'240 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:9
                                                                                                                                                                                                                                                                                                                                                                              Start time:04:24:46
                                                                                                                                                                                                                                                                                                                                                                              Start date:16/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x7ff620390000
                                                                                                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:10
                                                                                                                                                                                                                                                                                                                                                                              Start time:04:24:46
                                                                                                                                                                                                                                                                                                                                                                              Start date:16/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                                                              Commandline:taskkill /F /IM brave.exe /T
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x620000
                                                                                                                                                                                                                                                                                                                                                                              File size:74'240 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:11
                                                                                                                                                                                                                                                                                                                                                                              Start time:04:24:46
                                                                                                                                                                                                                                                                                                                                                                              Start date:16/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x7ff620390000
                                                                                                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:12
                                                                                                                                                                                                                                                                                                                                                                              Start time:04:24:47
                                                                                                                                                                                                                                                                                                                                                                              Start date:16/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x7ff613480000
                                                                                                                                                                                                                                                                                                                                                                              File size:676'768 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:13
                                                                                                                                                                                                                                                                                                                                                                              Start time:04:24:47
                                                                                                                                                                                                                                                                                                                                                                              Start date:16/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x7ff613480000
                                                                                                                                                                                                                                                                                                                                                                              File size:676'768 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:14
                                                                                                                                                                                                                                                                                                                                                                              Start time:04:24:47
                                                                                                                                                                                                                                                                                                                                                                              Start date:16/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x7ff613480000
                                                                                                                                                                                                                                                                                                                                                                              File size:676'768 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:16
                                                                                                                                                                                                                                                                                                                                                                              Start time:04:24:48
                                                                                                                                                                                                                                                                                                                                                                              Start date:16/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2276 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2172 -prefsLen 25358 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ad7f508-ae10-4797-94a8-42f485d40445} 7332 "\\.\pipe\gecko-crash-server-pipe.7332" 1569726f510 socket
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x7ff613480000
                                                                                                                                                                                                                                                                                                                                                                              File size:676'768 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:18
                                                                                                                                                                                                                                                                                                                                                                              Start time:04:24:50
                                                                                                                                                                                                                                                                                                                                                                              Start date:16/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3676 -parentBuildID 20230927232528 -prefsHandle 3720 -prefMapHandle 4092 -prefsLen 26373 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7f145a7-2cf0-440e-8897-25c02c759692} 7332 "\\.\pipe\gecko-crash-server-pipe.7332" 156a956c510 rdd
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x7ff613480000
                                                                                                                                                                                                                                                                                                                                                                              File size:676'768 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:20
                                                                                                                                                                                                                                                                                                                                                                              Start time:04:25:03
                                                                                                                                                                                                                                                                                                                                                                              Start date:16/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5096 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4832 -prefMapHandle 5108 -prefsLen 33184 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cea3218c-8734-46eb-8bf4-f4aef17ce0d4} 7332 "\\.\pipe\gecko-crash-server-pipe.7332" 156af813b10 utility
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x7ff613480000
                                                                                                                                                                                                                                                                                                                                                                              File size:676'768 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                                                                                                                                                              Disassembly

                                                                                                                                                                                                                                                                                                                                                                              Reset < >

                                                                                                                                                                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                                                                                                                                                                Execution Coverage:2.6%
                                                                                                                                                                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                                                                                                                                                Signature Coverage:6.2%
                                                                                                                                                                                                                                                                                                                                                                                Total number of Nodes:1746
                                                                                                                                                                                                                                                                                                                                                                                Total number of Limit Nodes:48
                                                                                                                                                                                                                                                                                                                                                                                execution_graph 95697 c02a00 95713 bbd7b0 messages 95697->95713 95698 bbdb11 PeekMessageW 95698->95713 95699 bbd807 GetInputState 95699->95698 95699->95713 95700 c01cbe TranslateAcceleratorW 95700->95713 95702 bbdb8f PeekMessageW 95702->95713 95703 bbda04 timeGetTime 95703->95713 95704 bbdb73 TranslateMessage DispatchMessageW 95704->95702 95705 bbdbaf Sleep 95705->95713 95706 c02b74 Sleep 95719 c02a51 95706->95719 95709 c01dda timeGetTime 95878 bce300 23 API calls 95709->95878 95712 c02c0b GetExitCodeProcess 95714 c02c21 WaitForSingleObject 95712->95714 95715 c02c37 CloseHandle 95712->95715 95713->95698 95713->95699 95713->95700 95713->95702 95713->95703 95713->95704 95713->95705 95713->95706 95713->95709 95716 bbd9d5 95713->95716 95713->95719 95729 bbdd50 95713->95729 95736 bbdfd0 95713->95736 95759 bbbf40 95713->95759 95817 bcedf6 95713->95817 95822 bc1310 95713->95822 95877 bce551 timeGetTime 95713->95877 95879 c23a2a 23 API calls 95713->95879 95880 bbec40 95713->95880 95904 c2359c 82 API calls __wsopen_s 95713->95904 95714->95713 95714->95715 95715->95719 95717 c429bf GetForegroundWindow 95717->95719 95719->95712 95719->95713 95719->95716 95719->95717 95720 c02ca9 Sleep 95719->95720 95905 c35658 23 API calls 95719->95905 95906 c1e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 95719->95906 95907 bce551 timeGetTime 95719->95907 95908 c1d4dc CreateToolhelp32Snapshot Process32FirstW 95719->95908 95720->95713 95730 bbdd6f 95729->95730 95731 bbdd83 95729->95731 95918 bbd260 95730->95918 95950 c2359c 82 API calls __wsopen_s 95731->95950 95733 bbdd7a 95733->95713 95735 c02f75 95735->95735 95737 bbe010 95736->95737 95751 bbe0dc messages 95737->95751 95998 bd0242 5 API calls __Init_thread_wait 95737->95998 95740 c02fca 95740->95751 95999 bba961 95740->95999 95741 bba961 22 API calls 95741->95751 95747 c02fee 96005 bd01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95747->96005 95751->95741 95753 bbec40 348 API calls 95751->95753 95754 bbe3e1 95751->95754 95755 bc04f0 22 API calls 95751->95755 95756 c2359c 82 API calls 95751->95756 95995 bba8c7 22 API calls __fread_nolock 95751->95995 95996 bba81b 41 API calls 95751->95996 95997 bca308 348 API calls 95751->95997 96006 bd0242 5 API calls __Init_thread_wait 95751->96006 96007 bd00a3 29 API calls __onexit 95751->96007 96008 bd01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95751->96008 96009 c347d4 348 API calls 95751->96009 96010 c368c1 348 API calls 95751->96010 95753->95751 95754->95713 95755->95751 95756->95751 96011 bbadf0 95759->96011 95761 bbbf9d 95762 bbbfa9 95761->95762 95763 c004b6 95761->95763 95765 bbc01e 95762->95765 95766 c004c6 95762->95766 96039 c2359c 82 API calls __wsopen_s 95763->96039 96016 bbac91 95765->96016 96040 c2359c 82 API calls __wsopen_s 95766->96040 95770 bbc7da 95774 bcfe0b 22 API calls 95770->95774 95771 c17120 22 API calls 95813 bbc039 __fread_nolock messages 95771->95813 95782 bbc808 __fread_nolock 95774->95782 95776 c004f5 95780 c0055a 95776->95780 96041 bcd217 348 API calls 95776->96041 95779 bbaf8a 22 API calls 95779->95813 95803 bbc603 95780->95803 96042 c2359c 82 API calls __wsopen_s 95780->96042 95781 bcfe0b 22 API calls 95814 bbc350 __fread_nolock messages 95781->95814 95782->95781 95783 c0091a 96051 c23209 23 API calls 95783->96051 95786 bbec40 348 API calls 95786->95813 95787 c008a5 95788 bbec40 348 API calls 95787->95788 95789 c008cf 95788->95789 95789->95803 96049 bba81b 41 API calls 95789->96049 95791 c00591 96043 c2359c 82 API calls __wsopen_s 95791->96043 95792 c008f6 96050 c2359c 82 API calls __wsopen_s 95792->96050 95796 bbbbe0 40 API calls 95796->95813 95798 bbc237 95801 bbc253 95798->95801 96052 bba8c7 22 API calls __fread_nolock 95798->96052 95799 bcfddb 22 API calls 95799->95813 95800 bbaceb 23 API calls 95800->95813 95804 c00976 95801->95804 95808 bbc297 messages 95801->95808 95803->95713 95806 bbaceb 23 API calls 95804->95806 95807 c009bf 95806->95807 95807->95803 96053 c2359c 82 API calls __wsopen_s 95807->96053 95808->95807 96027 bbaceb 95808->96027 95810 bbc335 95810->95807 95811 bbc342 95810->95811 96037 bba704 22 API calls messages 95811->96037 95813->95770 95813->95771 95813->95776 95813->95779 95813->95780 95813->95782 95813->95783 95813->95786 95813->95787 95813->95791 95813->95792 95813->95796 95813->95798 95813->95799 95813->95800 95813->95803 95813->95807 95815 bcfe0b 22 API calls 95813->95815 96020 bbad81 95813->96020 96044 c17099 22 API calls __fread_nolock 95813->96044 96045 c35745 54 API calls _wcslen 95813->96045 96046 bcaa42 22 API calls messages 95813->96046 96047 c1f05c 40 API calls 95813->96047 96048 bba993 41 API calls 95813->96048 95816 bbc3ac 95814->95816 96038 bcce17 22 API calls messages 95814->96038 95815->95813 95816->95713 95818 bcee09 95817->95818 95819 bcee12 95817->95819 95818->95713 95819->95818 95820 bcee36 IsDialogMessageW 95819->95820 95821 c0efaf GetClassLongW 95819->95821 95820->95818 95820->95819 95821->95819 95821->95820 95823 bc1376 95822->95823 95824 bc17b0 95822->95824 95826 c06331 95823->95826 95827 bc1390 95823->95827 96110 bd0242 5 API calls __Init_thread_wait 95824->96110 95828 c0633d 95826->95828 96120 c3709c 348 API calls 95826->96120 96071 bc1940 95827->96071 95828->95713 95830 bc17ba 95832 bc17fb 95830->95832 96111 bb9cb3 95830->96111 95837 c06346 95832->95837 95839 bc182c 95832->95839 95835 bc1940 9 API calls 95836 bc13b6 95835->95836 95836->95832 95838 bc13ec 95836->95838 96121 c2359c 82 API calls __wsopen_s 95837->96121 95838->95837 95861 bc1408 __fread_nolock 95838->95861 95840 bbaceb 23 API calls 95839->95840 95842 bc1839 95840->95842 96118 bcd217 348 API calls 95842->96118 95843 bc17d4 96117 bd01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95843->96117 95846 c0636e 96122 c2359c 82 API calls __wsopen_s 95846->96122 95848 bc153c 95851 bc1940 9 API calls 95848->95851 95849 c063d1 96124 c35745 54 API calls _wcslen 95849->96124 95854 bc1549 95851->95854 95852 bcfddb 22 API calls 95852->95861 95853 bc1563 95870 bc15c7 messages 95853->95870 96125 bba8c7 22 API calls __fread_nolock 95853->96125 95857 bc1940 9 API calls 95854->95857 95854->95870 95855 bc1872 96119 bcfaeb 23 API calls 95855->96119 95856 bcfe0b 22 API calls 95856->95861 95857->95853 95858 bc171d 95858->95713 95861->95842 95861->95846 95861->95852 95861->95856 95862 bbec40 348 API calls 95861->95862 95863 bc152f 95861->95863 95865 c063b2 95861->95865 95861->95870 95862->95861 95863->95848 95863->95849 95864 bc1940 9 API calls 95864->95870 96123 c2359c 82 API calls __wsopen_s 95865->96123 95868 bc167b messages 95868->95858 96109 bcce17 22 API calls messages 95868->96109 95870->95855 95870->95864 95870->95868 96081 c25c5a 95870->96081 96086 c41591 95870->96086 96089 c3abf7 95870->96089 96094 bcf645 95870->96094 96101 c3a2ea 95870->96101 96106 c3ab67 95870->96106 96126 c2359c 82 API calls __wsopen_s 95870->96126 95877->95713 95878->95713 95879->95713 95899 bbec76 messages 95880->95899 95881 bbfef7 95895 bbed9d messages 95881->95895 96382 bba8c7 22 API calls __fread_nolock 95881->96382 95883 c04beb 96386 c2359c 82 API calls __wsopen_s 95883->96386 95884 bcfddb 22 API calls 95884->95899 95886 c04600 95886->95895 96381 bba8c7 22 API calls __fread_nolock 95886->96381 95887 c04b0b 96384 c2359c 82 API calls __wsopen_s 95887->96384 95888 bba8c7 22 API calls 95888->95899 95894 bd0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95894->95899 95895->95713 95896 bbfbe3 95896->95895 95898 c04bdc 95896->95898 95903 bbf3ae messages 95896->95903 95897 bba961 22 API calls 95897->95899 96385 c2359c 82 API calls __wsopen_s 95898->96385 95899->95881 95899->95883 95899->95884 95899->95886 95899->95887 95899->95888 95899->95894 95899->95895 95899->95896 95899->95897 95900 bd00a3 29 API calls pre_c_initialization 95899->95900 95902 bd01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95899->95902 95899->95903 96319 bc01e0 95899->96319 96380 bc06a0 41 API calls messages 95899->96380 95900->95899 95902->95899 95903->95895 96383 c2359c 82 API calls __wsopen_s 95903->96383 95904->95713 95905->95719 95906->95719 95907->95719 96417 c1def7 95908->96417 95910 c1d529 Process32NextW 95911 c1d5db CloseHandle 95910->95911 95917 c1d522 95910->95917 95911->95719 95912 bba961 22 API calls 95912->95917 95913 bb9cb3 22 API calls 95913->95917 95917->95910 95917->95911 95917->95912 95917->95913 96423 bb525f 22 API calls 95917->96423 96424 bb6350 22 API calls 95917->96424 96425 bcce60 41 API calls 95917->96425 95919 bbec40 348 API calls 95918->95919 95921 bbd29d 95919->95921 95922 bbd30b messages 95921->95922 95923 bbd3c3 95921->95923 95929 bbd6d5 95921->95929 95930 bbd4b8 95921->95930 95931 bcfddb 22 API calls 95921->95931 95936 c01bc4 95921->95936 95945 bbd429 __fread_nolock messages 95921->95945 95922->95733 95925 bbd3ce 95923->95925 95923->95929 95924 bbd5ff 95927 c01bb5 95924->95927 95928 bbd614 95924->95928 95951 bcfddb 95925->95951 95978 c35705 23 API calls 95927->95978 95934 bcfddb 22 API calls 95928->95934 95929->95922 95932 bcfe0b 22 API calls 95929->95932 95962 bcfe0b 95930->95962 95931->95921 95938 bbd3d5 __fread_nolock 95932->95938 95941 bbd46a 95934->95941 95979 c2359c 82 API calls __wsopen_s 95936->95979 95937 bcfddb 22 API calls 95939 bbd3f6 95937->95939 95938->95937 95938->95939 95939->95945 95961 bbbec0 348 API calls 95939->95961 95941->95733 95942 c01ba4 95977 c2359c 82 API calls __wsopen_s 95942->95977 95945->95924 95945->95941 95945->95942 95946 c01b7f 95945->95946 95948 c01b5d 95945->95948 95972 bb1f6f 95945->95972 95976 c2359c 82 API calls __wsopen_s 95946->95976 95975 c2359c 82 API calls __wsopen_s 95948->95975 95950->95735 95954 bcfde0 95951->95954 95953 bcfdfa 95953->95938 95954->95953 95957 bcfdfc 95954->95957 95980 bdea0c 95954->95980 95987 bd4ead 7 API calls 2 library calls 95954->95987 95956 bd066d 95989 bd32a4 RaiseException 95956->95989 95957->95956 95988 bd32a4 RaiseException 95957->95988 95959 bd068a 95959->95938 95961->95945 95963 bcfddb 95962->95963 95964 bdea0c ___std_exception_copy 21 API calls 95963->95964 95965 bcfdfa 95963->95965 95968 bcfdfc 95963->95968 95992 bd4ead 7 API calls 2 library calls 95963->95992 95964->95963 95965->95945 95967 bd066d 95994 bd32a4 RaiseException 95967->95994 95968->95967 95993 bd32a4 RaiseException 95968->95993 95970 bd068a 95970->95945 95973 bbec40 348 API calls 95972->95973 95974 bb1f98 95973->95974 95974->95945 95975->95941 95976->95941 95977->95941 95978->95936 95979->95922 95986 be3820 _abort 95980->95986 95981 be385e 95991 bdf2d9 20 API calls _abort 95981->95991 95982 be3849 RtlAllocateHeap 95984 be385c 95982->95984 95982->95986 95984->95954 95986->95981 95986->95982 95990 bd4ead 7 API calls 2 library calls 95986->95990 95987->95954 95988->95956 95989->95959 95990->95986 95991->95984 95992->95963 95993->95967 95994->95970 95995->95751 95996->95751 95997->95751 95998->95740 96000 bcfe0b 22 API calls 95999->96000 96001 bba976 96000->96001 96002 bcfddb 22 API calls 96001->96002 96003 bba984 96002->96003 96004 bd00a3 29 API calls __onexit 96003->96004 96004->95747 96005->95751 96006->95751 96007->95751 96008->95751 96009->95751 96010->95751 96012 bbae01 96011->96012 96015 bbae1c messages 96011->96015 96054 bbaec9 96012->96054 96014 bbae09 CharUpperBuffW 96014->96015 96015->95761 96017 bbacae 96016->96017 96018 bbacd1 96017->96018 96060 c2359c 82 API calls __wsopen_s 96017->96060 96018->95813 96021 bffadb 96020->96021 96022 bbad92 96020->96022 96023 bcfddb 22 API calls 96022->96023 96024 bbad99 96023->96024 96061 bbadcd 96024->96061 96028 bbacf9 96027->96028 96036 bbad2a messages 96027->96036 96029 bbad55 96028->96029 96031 bbad01 messages 96028->96031 96029->96036 96069 bba8c7 22 API calls __fread_nolock 96029->96069 96032 bffa48 96031->96032 96033 bbad21 96031->96033 96031->96036 96032->96036 96070 bcce17 22 API calls messages 96032->96070 96035 bffa3a VariantClear 96033->96035 96033->96036 96035->96036 96036->95810 96037->95814 96038->95814 96039->95766 96040->95803 96041->95780 96042->95803 96043->95803 96044->95813 96045->95813 96046->95813 96047->95813 96048->95813 96049->95792 96050->95803 96051->95798 96052->95801 96053->95803 96055 bbaed9 __fread_nolock 96054->96055 96056 bbaedc 96054->96056 96055->96014 96057 bcfddb 22 API calls 96056->96057 96058 bbaee7 96057->96058 96059 bcfe0b 22 API calls 96058->96059 96059->96055 96060->96018 96064 bbaddd 96061->96064 96062 bbadb6 96062->95813 96063 bcfddb 22 API calls 96063->96064 96064->96062 96064->96063 96065 bba961 22 API calls 96064->96065 96067 bbadcd 22 API calls 96064->96067 96068 bba8c7 22 API calls __fread_nolock 96064->96068 96065->96064 96067->96064 96068->96064 96069->96036 96070->96036 96072 bc1981 96071->96072 96079 bc195d 96071->96079 96127 bd0242 5 API calls __Init_thread_wait 96072->96127 96073 bc13a0 96073->95835 96075 bc198b 96075->96079 96128 bd01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96075->96128 96077 bc8727 96077->96073 96130 bd01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96077->96130 96079->96073 96129 bd0242 5 API calls __Init_thread_wait 96079->96129 96131 bb7510 96081->96131 96085 c25c77 96085->95870 96163 c42ad8 96086->96163 96088 c4159f 96088->95870 96191 c3aff9 96089->96191 96091 c3ac54 96091->95870 96092 c3ac0c 96092->96091 96093 bbaceb 23 API calls 96092->96093 96093->96091 96095 bbb567 39 API calls 96094->96095 96096 bcf659 96095->96096 96097 c0f2dc Sleep 96096->96097 96098 bcf661 timeGetTime 96096->96098 96099 bbb567 39 API calls 96098->96099 96100 bcf677 96099->96100 96100->95870 96102 bb7510 53 API calls 96101->96102 96103 c3a306 96102->96103 96104 c1d4dc 47 API calls 96103->96104 96105 c3a315 96104->96105 96105->95870 96107 c3aff9 217 API calls 96106->96107 96108 c3ab79 96107->96108 96108->95870 96109->95868 96110->95830 96112 bb9cc2 _wcslen 96111->96112 96113 bcfe0b 22 API calls 96112->96113 96114 bb9cea __fread_nolock 96113->96114 96115 bcfddb 22 API calls 96114->96115 96116 bb9d00 96115->96116 96116->95843 96117->95832 96118->95855 96119->95855 96120->95828 96121->95870 96122->95870 96123->95870 96124->95853 96125->95870 96126->95870 96127->96075 96128->96079 96129->96077 96130->96073 96132 bb7525 96131->96132 96147 bb7522 96131->96147 96133 bb755b 96132->96133 96134 bb752d 96132->96134 96136 bb756d 96133->96136 96143 bf50f6 96133->96143 96145 bf500f 96133->96145 96159 bd51c6 26 API calls 96134->96159 96160 bcfb21 51 API calls 96136->96160 96139 bb753d 96142 bcfddb 22 API calls 96139->96142 96140 bf510e 96140->96140 96144 bb7547 96142->96144 96162 bd5183 26 API calls 96143->96162 96146 bb9cb3 22 API calls 96144->96146 96148 bcfe0b 22 API calls 96145->96148 96153 bf5088 96145->96153 96146->96147 96154 c1dbbe lstrlenW 96147->96154 96149 bf5058 96148->96149 96150 bcfddb 22 API calls 96149->96150 96151 bf507f 96150->96151 96152 bb9cb3 22 API calls 96151->96152 96152->96153 96161 bcfb21 51 API calls 96153->96161 96155 c1dc06 96154->96155 96156 c1dbdc GetFileAttributesW 96154->96156 96155->96085 96156->96155 96157 c1dbe8 FindFirstFileW 96156->96157 96157->96155 96158 c1dbf9 FindClose 96157->96158 96158->96155 96159->96139 96160->96139 96161->96143 96162->96140 96164 bbaceb 23 API calls 96163->96164 96165 c42af3 96164->96165 96166 c42b1d 96165->96166 96167 c42aff 96165->96167 96174 bb6b57 96166->96174 96168 bb7510 53 API calls 96167->96168 96170 c42b0c 96168->96170 96171 c42b1b 96170->96171 96173 bba8c7 22 API calls __fread_nolock 96170->96173 96171->96088 96173->96171 96175 bb6b67 _wcslen 96174->96175 96176 bf4ba1 96174->96176 96179 bb6b7d 96175->96179 96180 bb6ba2 96175->96180 96187 bb93b2 96176->96187 96178 bf4baa 96178->96178 96186 bb6f34 22 API calls 96179->96186 96181 bcfddb 22 API calls 96180->96181 96184 bb6bae 96181->96184 96183 bb6b85 __fread_nolock 96183->96171 96185 bcfe0b 22 API calls 96184->96185 96185->96183 96186->96183 96188 bb93c0 96187->96188 96190 bb93c9 __fread_nolock 96187->96190 96189 bbaec9 22 API calls 96188->96189 96188->96190 96189->96190 96190->96178 96192 c3b01d ___scrt_fastfail 96191->96192 96193 c3b094 96192->96193 96194 c3b058 96192->96194 96198 bbb567 39 API calls 96193->96198 96199 c3b08b 96193->96199 96289 bbb567 96194->96289 96196 c3b063 96196->96199 96202 bbb567 39 API calls 96196->96202 96197 c3b0ed 96200 bb7510 53 API calls 96197->96200 96201 c3b0a5 96198->96201 96199->96197 96203 bbb567 39 API calls 96199->96203 96204 c3b10b 96200->96204 96205 bbb567 39 API calls 96201->96205 96206 c3b078 96202->96206 96203->96197 96282 bb7620 96204->96282 96205->96199 96209 bbb567 39 API calls 96206->96209 96208 c3b115 96210 c3b1d8 96208->96210 96211 c3b11f 96208->96211 96209->96199 96213 c3b20a GetCurrentDirectoryW 96210->96213 96216 bb7510 53 API calls 96210->96216 96212 bb7510 53 API calls 96211->96212 96214 c3b130 96212->96214 96215 bcfe0b 22 API calls 96213->96215 96217 bb7620 22 API calls 96214->96217 96218 c3b22f GetCurrentDirectoryW 96215->96218 96219 c3b1ef 96216->96219 96220 c3b13a 96217->96220 96221 c3b23c 96218->96221 96222 bb7620 22 API calls 96219->96222 96223 bb7510 53 API calls 96220->96223 96226 c3b275 96221->96226 96294 bb9c6e 22 API calls 96221->96294 96224 c3b1f9 _wcslen 96222->96224 96225 c3b14b 96223->96225 96224->96213 96224->96226 96227 bb7620 22 API calls 96225->96227 96231 c3b287 96226->96231 96232 c3b28b 96226->96232 96229 c3b155 96227->96229 96233 bb7510 53 API calls 96229->96233 96230 c3b255 96295 bb9c6e 22 API calls 96230->96295 96239 c3b39a CreateProcessW 96231->96239 96240 c3b2f8 96231->96240 96297 c207c0 10 API calls 96232->96297 96236 c3b166 96233->96236 96241 bb7620 22 API calls 96236->96241 96237 c3b265 96296 bb9c6e 22 API calls 96237->96296 96238 c3b294 96298 c206e6 10 API calls 96238->96298 96281 c3b32f _wcslen 96239->96281 96300 c111c8 39 API calls 96240->96300 96245 c3b170 96241->96245 96248 c3b1a6 GetSystemDirectoryW 96245->96248 96253 bb7510 53 API calls 96245->96253 96246 c3b2aa 96299 c205a7 8 API calls 96246->96299 96247 c3b2fd 96251 c3b323 96247->96251 96252 c3b32a 96247->96252 96250 bcfe0b 22 API calls 96248->96250 96257 c3b1cb GetSystemDirectoryW 96250->96257 96301 c11201 128 API calls 2 library calls 96251->96301 96302 c114ce 6 API calls 96252->96302 96254 c3b187 96253->96254 96259 bb7620 22 API calls 96254->96259 96256 c3b2d0 96256->96231 96257->96221 96261 c3b191 _wcslen 96259->96261 96260 c3b328 96260->96281 96261->96221 96261->96248 96262 c3b3d6 GetLastError 96271 c3b41a 96262->96271 96263 c3b42f CloseHandle 96264 c3b43f 96263->96264 96272 c3b49a 96263->96272 96265 c3b451 96264->96265 96266 c3b446 CloseHandle 96264->96266 96269 c3b463 96265->96269 96270 c3b458 CloseHandle 96265->96270 96266->96265 96268 c3b4a6 96268->96271 96273 c3b475 96269->96273 96274 c3b46a CloseHandle 96269->96274 96270->96269 96286 c20175 96271->96286 96272->96268 96277 c3b4d2 CloseHandle 96272->96277 96303 c209d9 34 API calls 96273->96303 96274->96273 96277->96271 96279 c3b486 96304 c3b536 25 API calls 96279->96304 96281->96262 96281->96263 96283 bb762a _wcslen 96282->96283 96284 bcfe0b 22 API calls 96283->96284 96285 bb763f 96284->96285 96285->96208 96305 c2030f 96286->96305 96290 bbb578 96289->96290 96291 bbb57f 96289->96291 96290->96291 96318 bd62d1 39 API calls _strftime 96290->96318 96291->96196 96293 bbb5c2 96293->96196 96294->96230 96295->96237 96296->96226 96297->96238 96298->96246 96299->96256 96300->96247 96301->96260 96302->96281 96303->96279 96304->96272 96306 c20321 CloseHandle 96305->96306 96307 c20329 96305->96307 96306->96307 96308 c20336 96307->96308 96309 c2032e CloseHandle 96307->96309 96310 c20343 96308->96310 96311 c2033b CloseHandle 96308->96311 96309->96308 96312 c20350 96310->96312 96313 c20348 CloseHandle 96310->96313 96311->96310 96314 c20355 CloseHandle 96312->96314 96315 c2035d 96312->96315 96313->96312 96314->96315 96316 c20362 CloseHandle 96315->96316 96317 c2017d 96315->96317 96316->96317 96317->96092 96318->96293 96320 bc0206 96319->96320 96342 bc027e 96319->96342 96321 c05411 96320->96321 96322 bc0213 96320->96322 96405 c37b7e 348 API calls 2 library calls 96321->96405 96329 c05435 96322->96329 96333 bc021d 96322->96333 96323 c05405 96404 c2359c 82 API calls __wsopen_s 96323->96404 96325 bbec40 348 API calls 96325->96342 96328 c05466 96331 c05471 96328->96331 96332 c05493 96328->96332 96329->96328 96335 c0544d 96329->96335 96330 bc03f9 96352 bc0405 96330->96352 96399 c2359c 82 API calls __wsopen_s 96330->96399 96407 c37b7e 348 API calls 2 library calls 96331->96407 96387 c35689 96332->96387 96334 bc0230 messages 96333->96334 96410 bba8c7 22 API calls __fread_nolock 96333->96410 96343 c0568a 96334->96343 96375 bc0273 messages 96334->96375 96411 c37632 54 API calls __wsopen_s 96334->96411 96406 c2359c 82 API calls __wsopen_s 96335->96406 96336 c051ce messages 96374 bc03b2 messages 96336->96374 96336->96375 96401 c2359c 82 API calls __wsopen_s 96336->96401 96341 c051b9 96400 c2359c 82 API calls __wsopen_s 96341->96400 96342->96325 96342->96330 96342->96336 96342->96341 96342->96352 96364 bc0344 96342->96364 96342->96374 96349 c056c0 96343->96349 96412 c37771 67 API calls 96343->96412 96346 c05332 96346->96334 96403 bba8c7 22 API calls __fread_nolock 96346->96403 96354 bbaceb 23 API calls 96349->96354 96350 c05668 96356 bb7510 53 API calls 96350->96356 96352->95899 96354->96375 96355 c05532 96408 c21119 22 API calls 96355->96408 96368 c05670 _wcslen 96356->96368 96357 c0569e 96358 bb7510 53 API calls 96357->96358 96373 c056a6 _wcslen 96358->96373 96362 c054b9 96394 c20acc 96362->96394 96363 c05544 96409 bba673 22 API calls 96363->96409 96364->96330 96398 bc04f0 22 API calls 96364->96398 96365 bc03a5 96365->96330 96365->96374 96368->96343 96371 bbaceb 23 API calls 96368->96371 96370 c0554d 96377 c20acc 22 API calls 96370->96377 96371->96343 96372 bc1310 348 API calls 96372->96334 96373->96349 96376 bbaceb 23 API calls 96373->96376 96374->96323 96374->96334 96374->96346 96374->96375 96402 bca308 348 API calls 96374->96402 96375->95899 96376->96349 96378 c05566 96377->96378 96379 bbbf40 348 API calls 96378->96379 96379->96334 96380->95899 96381->95895 96382->95895 96383->95895 96384->95895 96385->95883 96386->95895 96388 c0549e 96387->96388 96389 c356a4 96387->96389 96388->96355 96388->96362 96390 bcfe0b 22 API calls 96389->96390 96392 c356c6 96390->96392 96391 bcfddb 22 API calls 96391->96392 96392->96388 96392->96391 96413 c20a59 96392->96413 96395 c20ada 96394->96395 96396 c054e3 96394->96396 96395->96396 96397 bcfddb 22 API calls 96395->96397 96396->96372 96397->96396 96398->96365 96399->96375 96400->96336 96401->96374 96402->96374 96403->96334 96404->96321 96405->96334 96406->96375 96407->96334 96408->96363 96409->96370 96410->96334 96411->96350 96412->96357 96414 c20a7a 96413->96414 96415 bcfddb 22 API calls 96414->96415 96416 c20a85 96414->96416 96415->96416 96416->96392 96422 c1df02 96417->96422 96418 c1df19 96427 bd62fb 39 API calls _strftime 96418->96427 96421 c1df1f 96421->95917 96422->96418 96422->96421 96426 bd63b2 GetStringTypeW _strftime 96422->96426 96423->95917 96424->95917 96425->95917 96426->96422 96427->96421 97517 bb105b 97522 bb344d 97517->97522 97519 bb106a 97553 bd00a3 29 API calls __onexit 97519->97553 97521 bb1074 97523 bb345d __wsopen_s 97522->97523 97524 bba961 22 API calls 97523->97524 97525 bb3513 97524->97525 97526 bb3a5a 24 API calls 97525->97526 97527 bb351c 97526->97527 97554 bb3357 97527->97554 97530 bb33c6 22 API calls 97531 bb3535 97530->97531 97532 bb515f 22 API calls 97531->97532 97533 bb3544 97532->97533 97534 bba961 22 API calls 97533->97534 97535 bb354d 97534->97535 97536 bba6c3 22 API calls 97535->97536 97537 bb3556 RegOpenKeyExW 97536->97537 97538 bf3176 RegQueryValueExW 97537->97538 97542 bb3578 97537->97542 97539 bf320c RegCloseKey 97538->97539 97540 bf3193 97538->97540 97539->97542 97549 bf321e _wcslen 97539->97549 97541 bcfe0b 22 API calls 97540->97541 97543 bf31ac 97541->97543 97542->97519 97545 bb5722 22 API calls 97543->97545 97544 bb4c6d 22 API calls 97544->97549 97546 bf31b7 RegQueryValueExW 97545->97546 97547 bf31d4 97546->97547 97550 bf31ee messages 97546->97550 97548 bb6b57 22 API calls 97547->97548 97548->97550 97549->97542 97549->97544 97551 bb9cb3 22 API calls 97549->97551 97552 bb515f 22 API calls 97549->97552 97550->97539 97551->97549 97552->97549 97553->97521 97555 bf1f50 __wsopen_s 97554->97555 97556 bb3364 GetFullPathNameW 97555->97556 97557 bb3386 97556->97557 97558 bb6b57 22 API calls 97557->97558 97559 bb33a4 97558->97559 97559->97530 97560 bb1098 97565 bb42de 97560->97565 97564 bb10a7 97566 bba961 22 API calls 97565->97566 97567 bb42f5 GetVersionExW 97566->97567 97568 bb6b57 22 API calls 97567->97568 97569 bb4342 97568->97569 97570 bb4378 97569->97570 97571 bb93b2 22 API calls 97569->97571 97573 bb441b GetCurrentProcess IsWow64Process 97570->97573 97580 bf37df 97570->97580 97572 bb436c 97571->97572 97574 bb37a0 22 API calls 97572->97574 97575 bb4437 97573->97575 97574->97570 97576 bb444f LoadLibraryA 97575->97576 97577 bf3824 GetSystemInfo 97575->97577 97578 bb449c GetSystemInfo 97576->97578 97579 bb4460 GetProcAddress 97576->97579 97582 bb4476 97578->97582 97579->97578 97581 bb4470 GetNativeSystemInfo 97579->97581 97581->97582 97583 bb447a FreeLibrary 97582->97583 97584 bb109d 97582->97584 97583->97584 97585 bd00a3 29 API calls __onexit 97584->97585 97585->97564 97586 bcf698 97587 bcf6a2 97586->97587 97588 bcf6c3 97586->97588 97595 bbaf8a 97587->97595 97594 c0f2f8 97588->97594 97603 c14d4a 22 API calls messages 97588->97603 97591 bcf6b2 97592 bbaf8a 22 API calls 97591->97592 97593 bcf6c2 97592->97593 97596 bbaf98 97595->97596 97602 bbafc0 messages 97595->97602 97597 bbafa6 97596->97597 97598 bbaf8a 22 API calls 97596->97598 97599 bbafac 97597->97599 97600 bbaf8a 22 API calls 97597->97600 97598->97597 97599->97602 97604 bbb090 97599->97604 97600->97599 97602->97591 97603->97588 97606 bbb09b messages 97604->97606 97605 bbb0d6 messages 97605->97602 97606->97605 97608 bcce17 22 API calls messages 97606->97608 97608->97605 96428 bd03fb 96429 bd0407 BuildCatchObjectHelperInternal 96428->96429 96457 bcfeb1 96429->96457 96431 bd040e 96432 bd0561 96431->96432 96436 bd0438 96431->96436 96487 bd083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 96432->96487 96434 bd0568 96480 bd4e52 96434->96480 96446 bd0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 96436->96446 96468 be247d 96436->96468 96442 bd0457 96444 bd04d8 96476 bd0959 96444->96476 96446->96444 96483 bd4e1a 38 API calls 2 library calls 96446->96483 96448 bd04de 96449 bd04f3 96448->96449 96484 bd0992 GetModuleHandleW 96449->96484 96451 bd04fa 96451->96434 96452 bd04fe 96451->96452 96453 bd0507 96452->96453 96485 bd4df5 28 API calls _abort 96452->96485 96486 bd0040 13 API calls 2 library calls 96453->96486 96456 bd050f 96456->96442 96458 bcfeba 96457->96458 96489 bd0698 IsProcessorFeaturePresent 96458->96489 96460 bcfec6 96490 bd2c94 10 API calls 3 library calls 96460->96490 96462 bcfecb 96463 bcfecf 96462->96463 96491 be2317 96462->96491 96463->96431 96466 bcfee6 96466->96431 96471 be2494 96468->96471 96469 bd0a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 96470 bd0451 96469->96470 96470->96442 96472 be2421 96470->96472 96471->96469 96474 be2450 96472->96474 96473 bd0a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 96475 be2479 96473->96475 96474->96473 96475->96446 96566 bd2340 96476->96566 96479 bd097f 96479->96448 96568 bd4bcf 96480->96568 96483->96444 96484->96451 96485->96453 96486->96456 96487->96434 96489->96460 96490->96462 96495 bed1f6 96491->96495 96494 bd2cbd 8 API calls 3 library calls 96494->96463 96498 bed213 96495->96498 96499 bed20f 96495->96499 96497 bcfed8 96497->96466 96497->96494 96498->96499 96501 be4bfb 96498->96501 96513 bd0a8c 96499->96513 96502 be4c07 BuildCatchObjectHelperInternal 96501->96502 96520 be2f5e EnterCriticalSection 96502->96520 96504 be4c0e 96521 be50af 96504->96521 96506 be4c1d 96507 be4c2c 96506->96507 96534 be4a8f 29 API calls 96506->96534 96536 be4c48 LeaveCriticalSection _abort 96507->96536 96510 be4c27 96535 be4b45 GetStdHandle GetFileType 96510->96535 96511 be4c3d __fread_nolock 96511->96498 96514 bd0a95 96513->96514 96515 bd0a97 IsProcessorFeaturePresent 96513->96515 96514->96497 96517 bd0c5d 96515->96517 96565 bd0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96517->96565 96519 bd0d40 96519->96497 96520->96504 96522 be50bb BuildCatchObjectHelperInternal 96521->96522 96523 be50df 96522->96523 96524 be50c8 96522->96524 96537 be2f5e EnterCriticalSection 96523->96537 96545 bdf2d9 20 API calls _abort 96524->96545 96527 be50cd 96546 be27ec 26 API calls _abort 96527->96546 96529 be5117 96547 be513e LeaveCriticalSection _abort 96529->96547 96530 be50d7 __fread_nolock 96530->96506 96533 be50eb 96533->96529 96538 be5000 96533->96538 96534->96510 96535->96507 96536->96511 96537->96533 96548 be4c7d 96538->96548 96540 be5012 96544 be501f 96540->96544 96555 be3405 11 API calls 2 library calls 96540->96555 96542 be5071 96542->96533 96556 be29c8 96544->96556 96545->96527 96546->96530 96547->96530 96554 be4c8a _abort 96548->96554 96549 be4cca 96563 bdf2d9 20 API calls _abort 96549->96563 96550 be4cb5 RtlAllocateHeap 96552 be4cc8 96550->96552 96550->96554 96552->96540 96554->96549 96554->96550 96562 bd4ead 7 API calls 2 library calls 96554->96562 96555->96540 96557 be29d3 RtlFreeHeap 96556->96557 96558 be29fc _free 96556->96558 96557->96558 96559 be29e8 96557->96559 96558->96542 96564 bdf2d9 20 API calls _abort 96559->96564 96561 be29ee GetLastError 96561->96558 96562->96554 96563->96552 96564->96561 96565->96519 96567 bd096c GetStartupInfoW 96566->96567 96567->96479 96569 bd4bdb _abort 96568->96569 96570 bd4bf4 96569->96570 96571 bd4be2 96569->96571 96592 be2f5e EnterCriticalSection 96570->96592 96607 bd4d29 GetModuleHandleW 96571->96607 96574 bd4be7 96574->96570 96608 bd4d6d GetModuleHandleExW 96574->96608 96575 bd4c99 96596 bd4cd9 96575->96596 96578 bd4bfb 96578->96575 96580 bd4c70 96578->96580 96593 be21a8 96578->96593 96584 bd4c88 96580->96584 96589 be2421 _abort 5 API calls 96580->96589 96582 bd4cb6 96599 bd4ce8 96582->96599 96583 bd4ce2 96616 bf1d29 5 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 96583->96616 96585 be2421 _abort 5 API calls 96584->96585 96585->96575 96589->96584 96592->96578 96617 be1ee1 96593->96617 96636 be2fa6 LeaveCriticalSection 96596->96636 96598 bd4cb2 96598->96582 96598->96583 96637 be360c 96599->96637 96602 bd4d16 96605 bd4d6d _abort 8 API calls 96602->96605 96603 bd4cf6 GetPEB 96603->96602 96604 bd4d06 GetCurrentProcess TerminateProcess 96603->96604 96604->96602 96606 bd4d1e ExitProcess 96605->96606 96607->96574 96609 bd4dba 96608->96609 96610 bd4d97 GetProcAddress 96608->96610 96612 bd4dc9 96609->96612 96613 bd4dc0 FreeLibrary 96609->96613 96611 bd4dac 96610->96611 96611->96609 96614 bd0a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 96612->96614 96613->96612 96615 bd4bf3 96614->96615 96615->96570 96620 be1e90 96617->96620 96619 be1f05 96619->96580 96621 be1e9c BuildCatchObjectHelperInternal 96620->96621 96628 be2f5e EnterCriticalSection 96621->96628 96623 be1eaa 96629 be1f31 96623->96629 96627 be1ec8 __fread_nolock 96627->96619 96628->96623 96632 be1f59 96629->96632 96634 be1f51 96629->96634 96630 bd0a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 96631 be1eb7 96630->96631 96635 be1ed5 LeaveCriticalSection _abort 96631->96635 96633 be29c8 _free 20 API calls 96632->96633 96632->96634 96633->96634 96634->96630 96635->96627 96636->96598 96638 be3627 96637->96638 96639 be3631 96637->96639 96641 bd0a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 96638->96641 96644 be2fd7 5 API calls 2 library calls 96639->96644 96642 bd4cf2 96641->96642 96642->96602 96642->96603 96643 be3648 96643->96638 96644->96643 96645 bbdefc 96648 bb1d6f 96645->96648 96647 bbdf07 96649 bb1d8c 96648->96649 96650 bb1f6f 348 API calls 96649->96650 96651 bb1da6 96650->96651 96652 bf2759 96651->96652 96654 bb1e36 96651->96654 96655 bb1dc2 96651->96655 96658 c2359c 82 API calls __wsopen_s 96652->96658 96654->96647 96655->96654 96657 bb289a 23 API calls 96655->96657 96657->96654 96658->96654 96659 bb1033 96664 bb4c91 96659->96664 96663 bb1042 96665 bba961 22 API calls 96664->96665 96666 bb4cff 96665->96666 96672 bb3af0 96666->96672 96669 bb4d9c 96670 bb1038 96669->96670 96675 bb51f7 22 API calls __fread_nolock 96669->96675 96671 bd00a3 29 API calls __onexit 96670->96671 96671->96663 96676 bb3b1c 96672->96676 96675->96669 96677 bb3b0f 96676->96677 96678 bb3b29 96676->96678 96677->96669 96678->96677 96679 bb3b30 RegOpenKeyExW 96678->96679 96679->96677 96680 bb3b4a RegQueryValueExW 96679->96680 96681 bb3b6b 96680->96681 96682 bb3b80 RegCloseKey 96680->96682 96681->96682 96682->96677 96683 bbfe73 96690 bcceb1 96683->96690 96685 bbfe89 96699 bccf92 96685->96699 96687 bbfeb3 96711 c2359c 82 API calls __wsopen_s 96687->96711 96689 c04ab8 96691 bccebf 96690->96691 96692 bcced2 96690->96692 96693 bbaceb 23 API calls 96691->96693 96694 bccf05 96692->96694 96695 bcced7 96692->96695 96698 bccec9 96693->96698 96697 bbaceb 23 API calls 96694->96697 96696 bcfddb 22 API calls 96695->96696 96696->96698 96697->96698 96698->96685 96712 bb6270 96699->96712 96701 bccfc9 96702 bb9cb3 22 API calls 96701->96702 96705 bccffa 96701->96705 96703 c0d166 96702->96703 96717 bb6350 22 API calls 96703->96717 96705->96687 96706 c0d171 96718 bcd2f0 40 API calls 96706->96718 96708 c0d184 96709 bbaceb 23 API calls 96708->96709 96710 c0d188 96708->96710 96709->96710 96710->96710 96711->96689 96713 bcfe0b 22 API calls 96712->96713 96714 bb6295 96713->96714 96715 bcfddb 22 API calls 96714->96715 96716 bb62a3 96715->96716 96716->96701 96717->96706 96718->96708 96719 bb2e37 96720 bba961 22 API calls 96719->96720 96721 bb2e4d 96720->96721 96798 bb4ae3 96721->96798 96723 bb2e6b 96812 bb3a5a 96723->96812 96725 bb2e7f 96726 bb9cb3 22 API calls 96725->96726 96727 bb2e8c 96726->96727 96819 bb4ecb 96727->96819 96730 bb2ead 96841 bba8c7 22 API calls __fread_nolock 96730->96841 96731 bf2cb0 96859 c22cf9 96731->96859 96733 bf2cc3 96734 bf2ccf 96733->96734 96885 bb4f39 96733->96885 96740 bb4f39 68 API calls 96734->96740 96736 bb2ec3 96842 bb6f88 22 API calls 96736->96842 96739 bb2ecf 96741 bb9cb3 22 API calls 96739->96741 96742 bf2ce5 96740->96742 96743 bb2edc 96741->96743 96891 bb3084 22 API calls 96742->96891 96843 bba81b 41 API calls 96743->96843 96746 bb2eec 96748 bb9cb3 22 API calls 96746->96748 96747 bf2d02 96892 bb3084 22 API calls 96747->96892 96750 bb2f12 96748->96750 96844 bba81b 41 API calls 96750->96844 96751 bf2d1e 96753 bb3a5a 24 API calls 96751->96753 96754 bf2d44 96753->96754 96893 bb3084 22 API calls 96754->96893 96755 bb2f21 96757 bba961 22 API calls 96755->96757 96759 bb2f3f 96757->96759 96758 bf2d50 96894 bba8c7 22 API calls __fread_nolock 96758->96894 96845 bb3084 22 API calls 96759->96845 96762 bf2d5e 96895 bb3084 22 API calls 96762->96895 96763 bb2f4b 96846 bd4a28 40 API calls 3 library calls 96763->96846 96765 bf2d6d 96896 bba8c7 22 API calls __fread_nolock 96765->96896 96767 bb2f59 96767->96742 96768 bb2f63 96767->96768 96847 bd4a28 40 API calls 3 library calls 96768->96847 96771 bf2d83 96897 bb3084 22 API calls 96771->96897 96772 bb2f6e 96772->96747 96774 bb2f78 96772->96774 96848 bd4a28 40 API calls 3 library calls 96774->96848 96775 bf2d90 96777 bb2f83 96777->96751 96778 bb2f8d 96777->96778 96849 bd4a28 40 API calls 3 library calls 96778->96849 96780 bb2f98 96781 bb2fdc 96780->96781 96850 bb3084 22 API calls 96780->96850 96781->96765 96782 bb2fe8 96781->96782 96782->96775 96853 bb63eb 22 API calls 96782->96853 96784 bb2fbf 96851 bba8c7 22 API calls __fread_nolock 96784->96851 96787 bb2ff8 96854 bb6a50 22 API calls 96787->96854 96788 bb2fcd 96852 bb3084 22 API calls 96788->96852 96791 bb3006 96855 bb70b0 23 API calls 96791->96855 96795 bb3021 96796 bb3065 96795->96796 96856 bb6f88 22 API calls 96795->96856 96857 bb70b0 23 API calls 96795->96857 96858 bb3084 22 API calls 96795->96858 96799 bb4af0 __wsopen_s 96798->96799 96800 bb6b57 22 API calls 96799->96800 96801 bb4b22 96799->96801 96800->96801 96811 bb4b58 96801->96811 96898 bb4c6d 96801->96898 96803 bb9cb3 22 API calls 96805 bb4c52 96803->96805 96804 bb9cb3 22 API calls 96804->96811 96806 bb515f 22 API calls 96805->96806 96809 bb4c5e 96806->96809 96807 bb4c6d 22 API calls 96807->96811 96809->96723 96810 bb4c29 96810->96803 96810->96809 96811->96804 96811->96807 96811->96810 96901 bb515f 96811->96901 96907 bf1f50 96812->96907 96815 bb9cb3 22 API calls 96816 bb3a8d 96815->96816 96909 bb3aa2 96816->96909 96818 bb3a97 96818->96725 96929 bb4e90 LoadLibraryA 96819->96929 96824 bf3ccf 96826 bb4f39 68 API calls 96824->96826 96825 bb4ef6 LoadLibraryExW 96937 bb4e59 LoadLibraryA 96825->96937 96828 bf3cd6 96826->96828 96830 bb4e59 3 API calls 96828->96830 96833 bf3cde 96830->96833 96832 bb4f20 96832->96833 96834 bb4f2c 96832->96834 96959 bb50f5 96833->96959 96835 bb4f39 68 API calls 96834->96835 96837 bb2ea5 96835->96837 96837->96730 96837->96731 96840 bf3d05 96841->96736 96842->96739 96843->96746 96844->96755 96845->96763 96846->96767 96847->96772 96848->96777 96849->96780 96850->96784 96851->96788 96852->96781 96853->96787 96854->96791 96855->96795 96856->96795 96857->96795 96858->96795 96860 c22d15 96859->96860 96861 bb511f 64 API calls 96860->96861 96862 c22d29 96861->96862 97093 c22e66 96862->97093 96865 bb50f5 40 API calls 96866 c22d56 96865->96866 96867 bb50f5 40 API calls 96866->96867 96868 c22d66 96867->96868 96869 bb50f5 40 API calls 96868->96869 96870 c22d81 96869->96870 96871 bb50f5 40 API calls 96870->96871 96872 c22d9c 96871->96872 96873 bb511f 64 API calls 96872->96873 96874 c22db3 96873->96874 96875 bdea0c ___std_exception_copy 21 API calls 96874->96875 96876 c22dba 96875->96876 96877 bdea0c ___std_exception_copy 21 API calls 96876->96877 96878 c22dc4 96877->96878 96879 bb50f5 40 API calls 96878->96879 96880 c22dd8 96879->96880 96881 c228fe 27 API calls 96880->96881 96883 c22dee 96881->96883 96882 c22d3f 96882->96733 96883->96882 97099 c222ce 79 API calls 96883->97099 96886 bb4f4a 96885->96886 96887 bb4f43 96885->96887 96889 bb4f6a FreeLibrary 96886->96889 96890 bb4f59 96886->96890 97100 bde678 96887->97100 96889->96890 96890->96734 96891->96747 96892->96751 96893->96758 96894->96762 96895->96765 96896->96771 96897->96775 96899 bbaec9 22 API calls 96898->96899 96900 bb4c78 96899->96900 96900->96801 96902 bb516e 96901->96902 96906 bb518f __fread_nolock 96901->96906 96904 bcfe0b 22 API calls 96902->96904 96903 bcfddb 22 API calls 96905 bb51a2 96903->96905 96904->96906 96905->96811 96906->96903 96908 bb3a67 GetModuleFileNameW 96907->96908 96908->96815 96910 bf1f50 __wsopen_s 96909->96910 96911 bb3aaf GetFullPathNameW 96910->96911 96912 bb3ae9 96911->96912 96913 bb3ace 96911->96913 96923 bba6c3 96912->96923 96914 bb6b57 22 API calls 96913->96914 96916 bb3ada 96914->96916 96919 bb37a0 96916->96919 96920 bb37ae 96919->96920 96921 bb93b2 22 API calls 96920->96921 96922 bb37c2 96921->96922 96922->96818 96924 bba6dd 96923->96924 96925 bba6d0 96923->96925 96926 bcfddb 22 API calls 96924->96926 96925->96916 96927 bba6e7 96926->96927 96928 bcfe0b 22 API calls 96927->96928 96928->96925 96930 bb4ea8 GetProcAddress 96929->96930 96931 bb4ec6 96929->96931 96932 bb4eb8 96930->96932 96934 bde5eb 96931->96934 96932->96931 96933 bb4ebf FreeLibrary 96932->96933 96933->96931 96967 bde52a 96934->96967 96936 bb4eea 96936->96824 96936->96825 96938 bb4e6e GetProcAddress 96937->96938 96939 bb4e8d 96937->96939 96940 bb4e7e 96938->96940 96942 bb4f80 96939->96942 96940->96939 96941 bb4e86 FreeLibrary 96940->96941 96941->96939 96943 bcfe0b 22 API calls 96942->96943 96944 bb4f95 96943->96944 97019 bb5722 96944->97019 96946 bb4fa1 __fread_nolock 96947 bf3d1d 96946->96947 96948 bb50a5 96946->96948 96955 bb4fdc 96946->96955 97033 c2304d 74 API calls 96947->97033 97022 bb42a2 CreateStreamOnHGlobal 96948->97022 96951 bf3d22 96953 bb511f 64 API calls 96951->96953 96952 bb50f5 40 API calls 96952->96955 96954 bf3d45 96953->96954 96956 bb50f5 40 API calls 96954->96956 96955->96951 96955->96952 96958 bb506e messages 96955->96958 97028 bb511f 96955->97028 96956->96958 96958->96832 96960 bb5107 96959->96960 96961 bf3d70 96959->96961 97055 bde8c4 96960->97055 96964 c228fe 97076 c2274e 96964->97076 96966 c22919 96966->96840 96970 bde536 BuildCatchObjectHelperInternal 96967->96970 96968 bde544 96992 bdf2d9 20 API calls _abort 96968->96992 96970->96968 96972 bde574 96970->96972 96971 bde549 96993 be27ec 26 API calls _abort 96971->96993 96974 bde579 96972->96974 96975 bde586 96972->96975 96994 bdf2d9 20 API calls _abort 96974->96994 96984 be8061 96975->96984 96978 bde58f 96979 bde595 96978->96979 96982 bde5a2 96978->96982 96995 bdf2d9 20 API calls _abort 96979->96995 96981 bde554 __fread_nolock 96981->96936 96996 bde5d4 LeaveCriticalSection __fread_nolock 96982->96996 96985 be806d BuildCatchObjectHelperInternal 96984->96985 96997 be2f5e EnterCriticalSection 96985->96997 96987 be807b 96998 be80fb 96987->96998 96991 be80ac __fread_nolock 96991->96978 96992->96971 96993->96981 96994->96981 96995->96981 96996->96981 96997->96987 97006 be811e 96998->97006 96999 be8177 97000 be4c7d _abort 20 API calls 96999->97000 97002 be8180 97000->97002 97003 be29c8 _free 20 API calls 97002->97003 97004 be8189 97003->97004 97007 be8088 97004->97007 97016 be3405 11 API calls 2 library calls 97004->97016 97006->96999 97006->97007 97014 bd918d EnterCriticalSection 97006->97014 97015 bd91a1 LeaveCriticalSection 97006->97015 97011 be80b7 97007->97011 97008 be81a8 97017 bd918d EnterCriticalSection 97008->97017 97018 be2fa6 LeaveCriticalSection 97011->97018 97013 be80be 97013->96991 97014->97006 97015->97006 97016->97008 97017->97007 97018->97013 97020 bcfddb 22 API calls 97019->97020 97021 bb5734 97020->97021 97021->96946 97023 bb42bc FindResourceExW 97022->97023 97024 bb42d9 97022->97024 97023->97024 97025 bf35ba LoadResource 97023->97025 97024->96955 97025->97024 97026 bf35cf SizeofResource 97025->97026 97026->97024 97027 bf35e3 LockResource 97026->97027 97027->97024 97029 bb512e 97028->97029 97032 bf3d90 97028->97032 97034 bdece3 97029->97034 97033->96951 97037 bdeaaa 97034->97037 97036 bb513c 97036->96955 97040 bdeab6 BuildCatchObjectHelperInternal 97037->97040 97038 bdeac2 97050 bdf2d9 20 API calls _abort 97038->97050 97040->97038 97041 bdeae8 97040->97041 97052 bd918d EnterCriticalSection 97041->97052 97043 bdeac7 97051 be27ec 26 API calls _abort 97043->97051 97044 bdeaf4 97053 bdec0a 62 API calls 2 library calls 97044->97053 97047 bdeb08 97054 bdeb27 LeaveCriticalSection __fread_nolock 97047->97054 97049 bdead2 __fread_nolock 97049->97036 97050->97043 97051->97049 97052->97044 97053->97047 97054->97049 97058 bde8e1 97055->97058 97057 bb5118 97057->96964 97059 bde8ed BuildCatchObjectHelperInternal 97058->97059 97060 bde92d 97059->97060 97061 bde900 ___scrt_fastfail 97059->97061 97062 bde925 __fread_nolock 97059->97062 97073 bd918d EnterCriticalSection 97060->97073 97071 bdf2d9 20 API calls _abort 97061->97071 97062->97057 97065 bde937 97074 bde6f8 38 API calls 4 library calls 97065->97074 97066 bde91a 97072 be27ec 26 API calls _abort 97066->97072 97069 bde94e 97075 bde96c LeaveCriticalSection __fread_nolock 97069->97075 97071->97066 97072->97062 97073->97065 97074->97069 97075->97062 97079 bde4e8 97076->97079 97078 c2275d 97078->96966 97082 bde469 97079->97082 97081 bde505 97081->97078 97083 bde48c 97082->97083 97084 bde478 97082->97084 97089 bde488 __alldvrm 97083->97089 97092 be333f 11 API calls 2 library calls 97083->97092 97090 bdf2d9 20 API calls _abort 97084->97090 97086 bde47d 97091 be27ec 26 API calls _abort 97086->97091 97089->97081 97090->97086 97091->97089 97092->97089 97097 c22e7a 97093->97097 97094 c22d3b 97094->96865 97094->96882 97095 bb50f5 40 API calls 97095->97097 97096 c228fe 27 API calls 97096->97097 97097->97094 97097->97095 97097->97096 97098 bb511f 64 API calls 97097->97098 97098->97097 97099->96882 97101 bde684 BuildCatchObjectHelperInternal 97100->97101 97102 bde6aa 97101->97102 97103 bde695 97101->97103 97112 bde6a5 __fread_nolock 97102->97112 97113 bd918d EnterCriticalSection 97102->97113 97130 bdf2d9 20 API calls _abort 97103->97130 97106 bde69a 97131 be27ec 26 API calls _abort 97106->97131 97107 bde6c6 97114 bde602 97107->97114 97110 bde6d1 97132 bde6ee LeaveCriticalSection __fread_nolock 97110->97132 97112->96886 97113->97107 97115 bde60f 97114->97115 97116 bde624 97114->97116 97165 bdf2d9 20 API calls _abort 97115->97165 97122 bde61f 97116->97122 97133 bddc0b 97116->97133 97118 bde614 97166 be27ec 26 API calls _abort 97118->97166 97122->97110 97126 bde646 97150 be862f 97126->97150 97129 be29c8 _free 20 API calls 97129->97122 97130->97106 97131->97112 97132->97112 97134 bddc23 97133->97134 97138 bddc1f 97133->97138 97135 bdd955 __fread_nolock 26 API calls 97134->97135 97134->97138 97136 bddc43 97135->97136 97167 be59be 62 API calls 6 library calls 97136->97167 97139 be4d7a 97138->97139 97140 be4d90 97139->97140 97142 bde640 97139->97142 97141 be29c8 _free 20 API calls 97140->97141 97140->97142 97141->97142 97143 bdd955 97142->97143 97144 bdd976 97143->97144 97145 bdd961 97143->97145 97144->97126 97168 bdf2d9 20 API calls _abort 97145->97168 97147 bdd966 97169 be27ec 26 API calls _abort 97147->97169 97149 bdd971 97149->97126 97151 be863e 97150->97151 97152 be8653 97150->97152 97173 bdf2c6 20 API calls _abort 97151->97173 97153 be868e 97152->97153 97157 be867a 97152->97157 97175 bdf2c6 20 API calls _abort 97153->97175 97156 be8643 97174 bdf2d9 20 API calls _abort 97156->97174 97170 be8607 97157->97170 97158 be8693 97176 bdf2d9 20 API calls _abort 97158->97176 97162 bde64c 97162->97122 97162->97129 97163 be869b 97177 be27ec 26 API calls _abort 97163->97177 97165->97118 97166->97122 97167->97138 97168->97147 97169->97149 97178 be8585 97170->97178 97172 be862b 97172->97162 97173->97156 97174->97162 97175->97158 97176->97163 97177->97162 97179 be8591 BuildCatchObjectHelperInternal 97178->97179 97189 be5147 EnterCriticalSection 97179->97189 97181 be859f 97182 be85c6 97181->97182 97183 be85d1 97181->97183 97190 be86ae 97182->97190 97205 bdf2d9 20 API calls _abort 97183->97205 97186 be85cc 97206 be85fb LeaveCriticalSection __wsopen_s 97186->97206 97188 be85ee __fread_nolock 97188->97172 97189->97181 97207 be53c4 97190->97207 97192 be86be 97193 be86c4 97192->97193 97197 be53c4 __wsopen_s 26 API calls 97192->97197 97204 be86f6 97192->97204 97220 be5333 21 API calls 3 library calls 97193->97220 97195 be53c4 __wsopen_s 26 API calls 97198 be8702 CloseHandle 97195->97198 97196 be871c 97199 be873e 97196->97199 97221 bdf2a3 20 API calls 2 library calls 97196->97221 97200 be86ed 97197->97200 97198->97193 97201 be870e GetLastError 97198->97201 97199->97186 97203 be53c4 __wsopen_s 26 API calls 97200->97203 97201->97193 97203->97204 97204->97193 97204->97195 97205->97186 97206->97188 97208 be53e6 97207->97208 97209 be53d1 97207->97209 97215 be540b 97208->97215 97224 bdf2c6 20 API calls _abort 97208->97224 97222 bdf2c6 20 API calls _abort 97209->97222 97211 be53d6 97223 bdf2d9 20 API calls _abort 97211->97223 97213 be5416 97225 bdf2d9 20 API calls _abort 97213->97225 97215->97192 97217 be53de 97217->97192 97218 be541e 97226 be27ec 26 API calls _abort 97218->97226 97220->97196 97221->97199 97222->97211 97223->97217 97224->97213 97225->97218 97226->97217 97609 bb3156 97612 bb3170 97609->97612 97613 bb3187 97612->97613 97614 bb31eb 97613->97614 97615 bb318c 97613->97615 97653 bb31e9 97613->97653 97617 bf2dfb 97614->97617 97618 bb31f1 97614->97618 97619 bb3199 97615->97619 97620 bb3265 PostQuitMessage 97615->97620 97616 bb31d0 DefWindowProcW 97621 bb316a 97616->97621 97667 bb18e2 10 API calls 97617->97667 97622 bb31f8 97618->97622 97623 bb321d SetTimer RegisterWindowMessageW 97618->97623 97625 bf2e7c 97619->97625 97626 bb31a4 97619->97626 97620->97621 97627 bf2d9c 97622->97627 97628 bb3201 KillTimer 97622->97628 97623->97621 97630 bb3246 CreatePopupMenu I_RpcFreeBuffer 97623->97630 97670 c1bf30 34 API calls ___scrt_fastfail 97625->97670 97631 bb31ae 97626->97631 97632 bf2e68 97626->97632 97635 bf2dd7 MoveWindow 97627->97635 97636 bf2da1 97627->97636 97637 bb30f2 Shell_NotifyIconW 97628->97637 97629 bf2e1c 97668 bce499 42 API calls 97629->97668 97640 bb3253 97630->97640 97641 bf2e4d 97631->97641 97642 bb31b9 97631->97642 97657 c1c161 97632->97657 97634 bf2e8e 97634->97616 97634->97621 97635->97621 97645 bf2da7 97636->97645 97646 bf2dc6 SetFocus 97636->97646 97647 bb3214 97637->97647 97665 bb326f 44 API calls ___scrt_fastfail 97640->97665 97641->97616 97669 c10ad7 22 API calls 97641->97669 97642->97640 97644 bb31c4 97642->97644 97644->97616 97654 bb30f2 Shell_NotifyIconW 97644->97654 97645->97644 97649 bf2db0 97645->97649 97646->97621 97664 bb3c50 DeleteObject DestroyWindow 97647->97664 97648 bb3263 97648->97621 97666 bb18e2 10 API calls 97649->97666 97653->97616 97655 bf2e41 97654->97655 97656 bb3837 49 API calls 97655->97656 97656->97653 97658 c1c276 97657->97658 97659 c1c179 ___scrt_fastfail 97657->97659 97658->97621 97660 bb3923 24 API calls 97659->97660 97662 c1c1a0 97660->97662 97661 c1c25f KillTimer SetTimer 97661->97658 97662->97661 97663 c1c251 Shell_NotifyIconW 97662->97663 97663->97661 97664->97621 97665->97648 97666->97621 97667->97629 97668->97644 97669->97653 97670->97634 97227 c42a55 97235 c21ebc 97227->97235 97230 c42a70 97237 c139c0 22 API calls 97230->97237 97231 c42a87 97233 c42a7c 97238 c1417d 22 API calls __fread_nolock 97233->97238 97236 c21ec3 IsWindow 97235->97236 97236->97230 97236->97231 97237->97233 97238->97231 97239 c0d255 97240 bb3b1c 3 API calls 97239->97240 97241 c0d275 97240->97241 97241->97241 97671 c03f75 97672 bcceb1 23 API calls 97671->97672 97673 c03f8b 97672->97673 97674 c04006 97673->97674 97682 bce300 23 API calls 97673->97682 97676 bbbf40 348 API calls 97674->97676 97677 c04052 97676->97677 97680 c04a88 97677->97680 97684 c2359c 82 API calls __wsopen_s 97677->97684 97679 c03fe6 97679->97677 97683 c21abf 22 API calls 97679->97683 97682->97679 97683->97674 97684->97680 97242 bb1cad SystemParametersInfoW 97243 bb2de3 97244 bb2df0 __wsopen_s 97243->97244 97245 bb2e09 97244->97245 97246 bf2c2b ___scrt_fastfail 97244->97246 97247 bb3aa2 23 API calls 97245->97247 97249 bf2c47 GetOpenFileNameW 97246->97249 97248 bb2e12 97247->97248 97259 bb2da5 97248->97259 97251 bf2c96 97249->97251 97252 bb6b57 22 API calls 97251->97252 97254 bf2cab 97252->97254 97254->97254 97256 bb2e27 97277 bb44a8 97256->97277 97260 bf1f50 __wsopen_s 97259->97260 97261 bb2db2 GetLongPathNameW 97260->97261 97262 bb6b57 22 API calls 97261->97262 97263 bb2dda 97262->97263 97264 bb3598 97263->97264 97265 bba961 22 API calls 97264->97265 97266 bb35aa 97265->97266 97267 bb3aa2 23 API calls 97266->97267 97268 bb35b5 97267->97268 97269 bf32eb 97268->97269 97270 bb35c0 97268->97270 97275 bf330d 97269->97275 97313 bcce60 41 API calls 97269->97313 97271 bb515f 22 API calls 97270->97271 97273 bb35cc 97271->97273 97307 bb35f3 97273->97307 97276 bb35df 97276->97256 97278 bb4ecb 94 API calls 97277->97278 97279 bb44cd 97278->97279 97280 bf3833 97279->97280 97281 bb4ecb 94 API calls 97279->97281 97282 c22cf9 80 API calls 97280->97282 97283 bb44e1 97281->97283 97284 bf3848 97282->97284 97283->97280 97285 bb44e9 97283->97285 97286 bf384c 97284->97286 97287 bf3869 97284->97287 97289 bf3854 97285->97289 97290 bb44f5 97285->97290 97291 bb4f39 68 API calls 97286->97291 97288 bcfe0b 22 API calls 97287->97288 97298 bf38ae 97288->97298 97329 c1da5a 82 API calls 97289->97329 97328 bb940c 136 API calls 2 library calls 97290->97328 97291->97289 97294 bb2e31 97295 bf3862 97295->97287 97296 bf3a5f 97301 bf3a67 97296->97301 97297 bb4f39 68 API calls 97297->97301 97298->97296 97298->97301 97304 bb9cb3 22 API calls 97298->97304 97314 bba4a1 97298->97314 97322 bb3ff7 97298->97322 97330 c1967e 22 API calls __fread_nolock 97298->97330 97331 c195ad 42 API calls _wcslen 97298->97331 97332 c20b5a 22 API calls 97298->97332 97301->97297 97333 c1989b 82 API calls __wsopen_s 97301->97333 97304->97298 97308 bb3605 97307->97308 97312 bb3624 __fread_nolock 97307->97312 97310 bcfe0b 22 API calls 97308->97310 97309 bcfddb 22 API calls 97311 bb363b 97309->97311 97310->97312 97311->97276 97312->97309 97313->97269 97315 bba52b 97314->97315 97321 bba4b1 __fread_nolock 97314->97321 97317 bcfe0b 22 API calls 97315->97317 97316 bcfddb 22 API calls 97318 bba4b8 97316->97318 97317->97321 97319 bba4d6 97318->97319 97320 bcfddb 22 API calls 97318->97320 97319->97298 97320->97319 97321->97316 97323 bb400a 97322->97323 97325 bb40ae 97322->97325 97324 bcfe0b 22 API calls 97323->97324 97327 bb403c 97323->97327 97324->97327 97325->97298 97326 bcfddb 22 API calls 97326->97327 97327->97325 97327->97326 97328->97294 97329->97295 97330->97298 97331->97298 97332->97298 97333->97301 97334 c0d29a 97337 c1de27 WSAStartup 97334->97337 97336 c0d2a5 97338 c1de50 gethostname gethostbyname 97337->97338 97340 c1dee6 97337->97340 97339 c1de73 __fread_nolock 97338->97339 97338->97340 97341 c1dea5 inet_ntoa 97339->97341 97345 c1de87 97339->97345 97340->97336 97343 c1debe _strcat 97341->97343 97342 c1dede WSACleanup 97342->97340 97346 c1ebd1 97343->97346 97345->97342 97347 c1ebe0 _strlen 97346->97347 97348 c1ec37 97346->97348 97349 c1ebef MultiByteToWideChar 97347->97349 97348->97345 97349->97348 97350 c1ec04 97349->97350 97351 bcfe0b 22 API calls 97350->97351 97352 c1ec20 MultiByteToWideChar 97351->97352 97352->97348 97353 bf2ba5 97354 bf2baf 97353->97354 97355 bb2b25 97353->97355 97357 bb3a5a 24 API calls 97354->97357 97381 bb2b83 7 API calls 97355->97381 97358 bf2bb8 97357->97358 97360 bb9cb3 22 API calls 97358->97360 97363 bf2bc6 97360->97363 97362 bb2b2f 97371 bb2b44 97362->97371 97385 bb3837 97362->97385 97364 bf2bce 97363->97364 97365 bf2bf5 97363->97365 97399 bb33c6 97364->97399 97368 bb33c6 22 API calls 97365->97368 97370 bf2bf1 GetForegroundWindow ShellExecuteW 97368->97370 97377 bf2c26 97370->97377 97372 bb2b5f 97371->97372 97395 bb30f2 97371->97395 97379 bb2b66 SetCurrentDirectoryW 97372->97379 97376 bf2be7 97378 bb33c6 22 API calls 97376->97378 97377->97372 97378->97370 97380 bb2b7a 97379->97380 97409 bb2cd4 7 API calls 97381->97409 97383 bb2b2a 97384 bb2c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97383->97384 97384->97362 97386 bb3862 ___scrt_fastfail 97385->97386 97410 bb4212 97386->97410 97388 bb38e8 97391 bf3386 Shell_NotifyIconW 97388->97391 97392 bb3906 Shell_NotifyIconW 97388->97392 97414 bb3923 97392->97414 97394 bb391c 97394->97371 97396 bb3154 97395->97396 97397 bb3104 ___scrt_fastfail 97395->97397 97396->97372 97398 bb3123 Shell_NotifyIconW 97397->97398 97398->97396 97400 bf30bb 97399->97400 97401 bb33dd 97399->97401 97403 bcfddb 22 API calls 97400->97403 97440 bb33ee 97401->97440 97405 bf30c5 _wcslen 97403->97405 97404 bb33e8 97408 bb6350 22 API calls 97404->97408 97406 bcfe0b 22 API calls 97405->97406 97407 bf30fe __fread_nolock 97406->97407 97408->97376 97409->97383 97411 bf35a4 97410->97411 97412 bb38b7 97410->97412 97411->97412 97413 bf35ad DestroyIcon 97411->97413 97412->97388 97436 c1c874 42 API calls _strftime 97412->97436 97413->97412 97415 bb393f 97414->97415 97416 bb3a13 97414->97416 97417 bb6270 22 API calls 97415->97417 97416->97394 97418 bb394d 97417->97418 97419 bb395a 97418->97419 97420 bf3393 LoadStringW 97418->97420 97421 bb6b57 22 API calls 97419->97421 97422 bf33ad 97420->97422 97423 bb396f 97421->97423 97430 bb3994 ___scrt_fastfail 97422->97430 97438 bba8c7 22 API calls __fread_nolock 97422->97438 97424 bf33c9 97423->97424 97425 bb397c 97423->97425 97439 bb6350 22 API calls 97424->97439 97425->97422 97427 bb3986 97425->97427 97437 bb6350 22 API calls 97427->97437 97433 bb39f9 Shell_NotifyIconW 97430->97433 97431 bf33d7 97431->97430 97432 bb33c6 22 API calls 97431->97432 97434 bf33f9 97432->97434 97433->97416 97435 bb33c6 22 API calls 97434->97435 97435->97430 97436->97388 97437->97430 97438->97430 97439->97431 97441 bb33fe _wcslen 97440->97441 97442 bf311d 97441->97442 97443 bb3411 97441->97443 97445 bcfddb 22 API calls 97442->97445 97450 bba587 97443->97450 97447 bf3127 97445->97447 97446 bb341e __fread_nolock 97446->97404 97448 bcfe0b 22 API calls 97447->97448 97449 bf3157 __fread_nolock 97448->97449 97451 bba59d 97450->97451 97453 bba598 __fread_nolock 97450->97453 97452 bcfe0b 22 API calls 97451->97452 97454 bff80f 97451->97454 97452->97453 97453->97446 97454->97454 97685 c0d27a GetUserNameW 97686 c0d292 97685->97686 97687 be8402 97692 be81be 97687->97692 97690 be842a 97697 be81ef try_get_first_available_module 97692->97697 97694 be83ee 97711 be27ec 26 API calls _abort 97694->97711 97696 be8343 97696->97690 97704 bf0984 97696->97704 97700 be8338 97697->97700 97707 bd8e0b 40 API calls 2 library calls 97697->97707 97699 be838c 97699->97700 97708 bd8e0b 40 API calls 2 library calls 97699->97708 97700->97696 97710 bdf2d9 20 API calls _abort 97700->97710 97702 be83ab 97702->97700 97709 bd8e0b 40 API calls 2 library calls 97702->97709 97712 bf0081 97704->97712 97706 bf099f 97706->97690 97707->97699 97708->97702 97709->97700 97710->97694 97711->97696 97714 bf008d BuildCatchObjectHelperInternal 97712->97714 97713 bf009b 97770 bdf2d9 20 API calls _abort 97713->97770 97714->97713 97716 bf00d4 97714->97716 97723 bf065b 97716->97723 97717 bf00a0 97771 be27ec 26 API calls _abort 97717->97771 97722 bf00aa __fread_nolock 97722->97706 97773 bf042f 97723->97773 97726 bf068d 97805 bdf2c6 20 API calls _abort 97726->97805 97727 bf06a6 97791 be5221 97727->97791 97730 bf06ab 97731 bf06cb 97730->97731 97732 bf06b4 97730->97732 97804 bf039a CreateFileW 97731->97804 97807 bdf2c6 20 API calls _abort 97732->97807 97736 bf06b9 97808 bdf2d9 20 API calls _abort 97736->97808 97737 bf0781 GetFileType 97740 bf078c GetLastError 97737->97740 97741 bf07d3 97737->97741 97739 bf0756 GetLastError 97810 bdf2a3 20 API calls 2 library calls 97739->97810 97811 bdf2a3 20 API calls 2 library calls 97740->97811 97813 be516a 21 API calls 3 library calls 97741->97813 97742 bf0704 97742->97737 97742->97739 97809 bf039a CreateFileW 97742->97809 97746 bf0692 97806 bdf2d9 20 API calls _abort 97746->97806 97747 bf079a CloseHandle 97747->97746 97750 bf07c3 97747->97750 97749 bf0749 97749->97737 97749->97739 97812 bdf2d9 20 API calls _abort 97750->97812 97752 bf07f4 97754 bf0840 97752->97754 97814 bf05ab 72 API calls 4 library calls 97752->97814 97753 bf07c8 97753->97746 97758 bf086d 97754->97758 97815 bf014d 72 API calls 4 library calls 97754->97815 97757 bf0866 97757->97758 97759 bf087e 97757->97759 97760 be86ae __wsopen_s 29 API calls 97758->97760 97761 bf00f8 97759->97761 97762 bf08fc CloseHandle 97759->97762 97760->97761 97772 bf0121 LeaveCriticalSection __wsopen_s 97761->97772 97816 bf039a CreateFileW 97762->97816 97764 bf0927 97765 bf095d 97764->97765 97766 bf0931 GetLastError 97764->97766 97765->97761 97817 bdf2a3 20 API calls 2 library calls 97766->97817 97768 bf093d 97818 be5333 21 API calls 3 library calls 97768->97818 97770->97717 97771->97722 97772->97722 97774 bf046a 97773->97774 97775 bf0450 97773->97775 97819 bf03bf 97774->97819 97775->97774 97826 bdf2d9 20 API calls _abort 97775->97826 97778 bf045f 97827 be27ec 26 API calls _abort 97778->97827 97780 bf04a2 97781 bf04d1 97780->97781 97828 bdf2d9 20 API calls _abort 97780->97828 97784 bf0524 97781->97784 97830 bdd70d 26 API calls 2 library calls 97781->97830 97784->97726 97784->97727 97785 bf051f 97785->97784 97787 bf059e 97785->97787 97786 bf04c6 97829 be27ec 26 API calls _abort 97786->97829 97831 be27fc 11 API calls _abort 97787->97831 97790 bf05aa 97792 be522d BuildCatchObjectHelperInternal 97791->97792 97834 be2f5e EnterCriticalSection 97792->97834 97794 be527b 97835 be532a 97794->97835 97795 be5259 97797 be5000 __wsopen_s 21 API calls 97795->97797 97800 be525e 97797->97800 97798 be52a4 __fread_nolock 97798->97730 97799 be5234 97799->97794 97799->97795 97801 be52c7 EnterCriticalSection 97799->97801 97800->97794 97838 be5147 EnterCriticalSection 97800->97838 97801->97794 97802 be52d4 LeaveCriticalSection 97801->97802 97802->97799 97804->97742 97805->97746 97806->97761 97807->97736 97808->97746 97809->97749 97810->97746 97811->97747 97812->97753 97813->97752 97814->97754 97815->97757 97816->97764 97817->97768 97818->97765 97820 bf03d7 97819->97820 97821 bf03f2 97820->97821 97832 bdf2d9 20 API calls _abort 97820->97832 97821->97780 97823 bf0416 97833 be27ec 26 API calls _abort 97823->97833 97825 bf0421 97825->97780 97826->97778 97827->97774 97828->97786 97829->97781 97830->97785 97831->97790 97832->97823 97833->97825 97834->97799 97839 be2fa6 LeaveCriticalSection 97835->97839 97837 be5331 97837->97798 97838->97794 97839->97837 97840 bf2402 97843 bb1410 97840->97843 97844 bb144f mciSendStringW 97843->97844 97845 bf24b8 DestroyWindow 97843->97845 97846 bb146b 97844->97846 97847 bb16c6 97844->97847 97857 bf24c4 97845->97857 97848 bb1479 97846->97848 97846->97857 97847->97846 97849 bb16d5 UnregisterHotKey 97847->97849 97876 bb182e 97848->97876 97849->97847 97851 bf24d8 97851->97857 97882 bb6246 CloseHandle 97851->97882 97852 bf24e2 FindClose 97852->97857 97854 bf2509 97858 bf252d 97854->97858 97859 bf251c FreeLibrary 97854->97859 97856 bb148e 97856->97858 97864 bb149c 97856->97864 97857->97851 97857->97852 97857->97854 97860 bf2541 VirtualFree 97858->97860 97865 bb1509 97858->97865 97859->97854 97860->97858 97861 bb14f8 CoUninitialize 97861->97865 97862 bf2589 97868 bf2598 messages 97862->97868 97883 c232eb 6 API calls messages 97862->97883 97864->97861 97865->97862 97866 bb1514 97865->97866 97880 bb1944 VirtualFreeEx CloseHandle 97866->97880 97872 bf2627 97868->97872 97884 c164d4 22 API calls messages 97868->97884 97870 bb153a 97870->97868 97871 bb161f 97870->97871 97871->97872 97873 bb166d 97871->97873 97872->97872 97873->97872 97881 bb1876 CloseHandle InternetCloseHandle InternetCloseHandle WaitForSingleObject 97873->97881 97875 bb16c1 97878 bb183b 97876->97878 97877 bb1480 97877->97854 97877->97856 97878->97877 97885 c1702a 22 API calls 97878->97885 97880->97870 97881->97875 97882->97851 97883->97862 97884->97868 97885->97878 97455 bbdee5 97458 bbb710 97455->97458 97459 bbb72b 97458->97459 97460 c00146 97459->97460 97461 c000f8 97459->97461 97486 bbb750 97459->97486 97500 c358a2 348 API calls 2 library calls 97460->97500 97464 c00102 97461->97464 97465 c0010f 97461->97465 97461->97486 97498 c35d33 348 API calls 97464->97498 97484 bbba20 97465->97484 97499 c361d0 348 API calls 2 library calls 97465->97499 97471 c003d9 97471->97471 97474 bbba4e 97475 c00322 97503 c35c0c 82 API calls 97475->97503 97481 bbaceb 23 API calls 97481->97486 97482 bcd336 40 API calls 97482->97486 97483 bbbbe0 40 API calls 97483->97486 97484->97474 97504 c2359c 82 API calls __wsopen_s 97484->97504 97485 bbec40 348 API calls 97485->97486 97486->97474 97486->97475 97486->97481 97486->97482 97486->97483 97486->97484 97486->97485 97489 bba81b 41 API calls 97486->97489 97490 bcd2f0 40 API calls 97486->97490 97491 bca01b 348 API calls 97486->97491 97492 bd0242 5 API calls __Init_thread_wait 97486->97492 97493 bcedcd 22 API calls 97486->97493 97494 bd00a3 29 API calls __onexit 97486->97494 97495 bd01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97486->97495 97496 bcee53 82 API calls 97486->97496 97497 bce5ca 348 API calls 97486->97497 97501 c0f6bf 23 API calls 97486->97501 97502 bba8c7 22 API calls __fread_nolock 97486->97502 97489->97486 97490->97486 97491->97486 97492->97486 97493->97486 97494->97486 97495->97486 97496->97486 97497->97486 97498->97465 97499->97484 97500->97486 97501->97486 97502->97486 97503->97484 97504->97471 97505 c0d79f 97506 bb3b1c 3 API calls 97505->97506 97507 c0d7bf 97506->97507 97510 bb9c6e 22 API calls 97507->97510 97509 c0d7ef 97509->97509 97510->97509 97511 c0d35f 97513 c0d30c 97511->97513 97514 c1df27 SHGetFolderPathW 97513->97514 97515 bb6b57 22 API calls 97514->97515 97516 c1df54 97515->97516 97516->97513 97886 bb1044 97891 bb10f3 97886->97891 97888 bb104a 97927 bd00a3 29 API calls __onexit 97888->97927 97890 bb1054 97928 bb1398 97891->97928 97895 bb116a 97896 bba961 22 API calls 97895->97896 97897 bb1174 97896->97897 97898 bba961 22 API calls 97897->97898 97899 bb117e 97898->97899 97900 bba961 22 API calls 97899->97900 97901 bb1188 97900->97901 97902 bba961 22 API calls 97901->97902 97903 bb11c6 97902->97903 97904 bba961 22 API calls 97903->97904 97905 bb1292 97904->97905 97938 bb171c 97905->97938 97909 bb12c4 97910 bba961 22 API calls 97909->97910 97911 bb12ce 97910->97911 97912 bc1940 9 API calls 97911->97912 97913 bb12f9 97912->97913 97959 bb1aab 97913->97959 97915 bb1315 97916 bb1325 GetStdHandle 97915->97916 97917 bb137a 97916->97917 97918 bf2485 97916->97918 97921 bb1387 OleInitialize 97917->97921 97918->97917 97919 bf248e 97918->97919 97920 bcfddb 22 API calls 97919->97920 97922 bf2495 97920->97922 97921->97888 97966 c2011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 97922->97966 97924 bf249e 97967 c20944 CreateThread 97924->97967 97926 bf24aa CloseHandle 97926->97917 97927->97890 97968 bb13f1 97928->97968 97931 bb13f1 22 API calls 97932 bb13d0 97931->97932 97933 bba961 22 API calls 97932->97933 97934 bb13dc 97933->97934 97935 bb6b57 22 API calls 97934->97935 97936 bb1129 97935->97936 97937 bb1bc3 6 API calls 97936->97937 97937->97895 97939 bba961 22 API calls 97938->97939 97940 bb172c 97939->97940 97941 bba961 22 API calls 97940->97941 97942 bb1734 97941->97942 97943 bba961 22 API calls 97942->97943 97944 bb174f 97943->97944 97945 bcfddb 22 API calls 97944->97945 97946 bb129c 97945->97946 97947 bb1b4a 97946->97947 97948 bb1b58 97947->97948 97949 bba961 22 API calls 97948->97949 97950 bb1b63 97949->97950 97951 bba961 22 API calls 97950->97951 97952 bb1b6e 97951->97952 97953 bba961 22 API calls 97952->97953 97954 bb1b79 97953->97954 97955 bba961 22 API calls 97954->97955 97956 bb1b84 97955->97956 97957 bcfddb 22 API calls 97956->97957 97958 bb1b96 RegisterWindowMessageW 97957->97958 97958->97909 97960 bb1abb 97959->97960 97961 bf272d 97959->97961 97962 bcfddb 22 API calls 97960->97962 97975 c23209 23 API calls 97961->97975 97965 bb1ac3 97962->97965 97964 bf2738 97965->97915 97966->97924 97967->97926 97976 c2092a 28 API calls 97967->97976 97969 bba961 22 API calls 97968->97969 97970 bb13fc 97969->97970 97971 bba961 22 API calls 97970->97971 97972 bb1404 97971->97972 97973 bba961 22 API calls 97972->97973 97974 bb13c6 97973->97974 97974->97931 97975->97964

                                                                                                                                                                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                                                                                                                                                                Function 00BB42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                control_flow_graph 389 bb42de-bb434d call bba961 GetVersionExW call bb6b57 394 bf3617-bf362a 389->394 395 bb4353 389->395 397 bf362b-bf362f 394->397 396 bb4355-bb4357 395->396 398 bb435d-bb43bc call bb93b2 call bb37a0 396->398 399 bf3656 396->399 400 bf3632-bf363e 397->400 401 bf3631 397->401 418 bf37df-bf37e6 398->418 419 bb43c2-bb43c4 398->419 405 bf365d-bf3660 399->405 400->397 402 bf3640-bf3642 400->402 401->400 402->396 404 bf3648-bf364f 402->404 404->394 407 bf3651 404->407 408 bb441b-bb4435 GetCurrentProcess IsWow64Process 405->408 409 bf3666-bf36a8 405->409 407->399 411 bb4437 408->411 412 bb4494-bb449a 408->412 409->408 413 bf36ae-bf36b1 409->413 415 bb443d-bb4449 411->415 412->415 416 bf36db-bf36e5 413->416 417 bf36b3-bf36bd 413->417 420 bb444f-bb445e LoadLibraryA 415->420 421 bf3824-bf3828 GetSystemInfo 415->421 425 bf36f8-bf3702 416->425 426 bf36e7-bf36f3 416->426 422 bf36bf-bf36c5 417->422 423 bf36ca-bf36d6 417->423 427 bf37e8 418->427 428 bf3806-bf3809 418->428 419->405 424 bb43ca-bb43dd 419->424 431 bb449c-bb44a6 GetSystemInfo 420->431 432 bb4460-bb446e GetProcAddress 420->432 422->408 423->408 433 bb43e3-bb43e5 424->433 434 bf3726-bf372f 424->434 436 bf3715-bf3721 425->436 437 bf3704-bf3710 425->437 426->408 435 bf37ee 427->435 429 bf380b-bf381a 428->429 430 bf37f4-bf37fc 428->430 429->435 440 bf381c-bf3822 429->440 430->428 442 bb4476-bb4478 431->442 432->431 441 bb4470-bb4474 GetNativeSystemInfo 432->441 443 bb43eb-bb43ee 433->443 444 bf374d-bf3762 433->444 438 bf373c-bf3748 434->438 439 bf3731-bf3737 434->439 435->430 436->408 437->408 438->408 439->408 440->430 441->442 447 bb447a-bb447b FreeLibrary 442->447 448 bb4481-bb4493 442->448 449 bf3791-bf3794 443->449 450 bb43f4-bb440f 443->450 445 bf376f-bf377b 444->445 446 bf3764-bf376a 444->446 445->408 446->408 447->448 449->408 453 bf379a-bf37c1 449->453 451 bb4415 450->451 452 bf3780-bf378c 450->452 451->408 452->408 454 bf37ce-bf37da 453->454 455 bf37c3-bf37c9 453->455 454->408 455->408
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetVersionExW.KERNEL32(?), ref: 00BB430D
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB6B57: _wcslen.LIBCMT ref: 00BB6B6A
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32(?,00C4CB64,00000000,?,?), ref: 00BB4422
                                                                                                                                                                                                                                                                                                                                                                                • IsWow64Process.KERNEL32(00000000,?,?), ref: 00BB4429
                                                                                                                                                                                                                                                                                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00BB4454
                                                                                                                                                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00BB4466
                                                                                                                                                                                                                                                                                                                                                                                • GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00BB4474
                                                                                                                                                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?), ref: 00BB447B
                                                                                                                                                                                                                                                                                                                                                                                • GetSystemInfo.KERNEL32(?,?,?), ref: 00BB44A0
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3290436268-3101561225
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e806f9d53c5c439267a830f29448208411e1c1b60c82f40fe9e11e097dab28c2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 014472afd6f5e6ff4377a10c2bd0deb70874275ce4d5adb5d00a3d229cf57553
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e806f9d53c5c439267a830f29448208411e1c1b60c82f40fe9e11e097dab28c2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 64A1937595A2C4DFC711D76978817ED7FECBB26B00B0D48E9D88193B32D6604A0ACB29
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                control_flow_graph 860 bb42a2-bb42ba CreateStreamOnHGlobal 861 bb42da-bb42dd 860->861 862 bb42bc-bb42d3 FindResourceExW 860->862 863 bb42d9 862->863 864 bf35ba-bf35c9 LoadResource 862->864 863->861 864->863 865 bf35cf-bf35dd SizeofResource 864->865 865->863 866 bf35e3-bf35ee LockResource 865->866 866->863 867 bf35f4-bf3612 866->867 867->863
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00BB50AA,?,?,00000000,00000000), ref: 00BB42B2
                                                                                                                                                                                                                                                                                                                                                                                • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00BB50AA,?,?,00000000,00000000), ref: 00BB42C9
                                                                                                                                                                                                                                                                                                                                                                                • LoadResource.KERNEL32(?,00000000,?,?,00BB50AA,?,?,00000000,00000000,?,?,?,?,?,?,00BB4F20), ref: 00BF35BE
                                                                                                                                                                                                                                                                                                                                                                                • SizeofResource.KERNEL32(?,00000000,?,?,00BB50AA,?,?,00000000,00000000,?,?,?,?,?,?,00BB4F20), ref: 00BF35D3
                                                                                                                                                                                                                                                                                                                                                                                • LockResource.KERNEL32(00BB50AA,?,?,00BB50AA,?,?,00000000,00000000,?,?,?,?,?,?,00BB4F20,?), ref: 00BF35E6
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                                                                                                                                                                                                                                                                                • String ID: SCRIPT
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3051347437-3967369404
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: a928c6d0843b5f41ae531e9d822a965fa2f113d2e7f292cdd6cd6d406b438731
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 8b7d913815fe0054f02fda63ed0ccacf1528cb8c14afcbd70364f65001d55132
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a928c6d0843b5f41ae531e9d822a965fa2f113d2e7f292cdd6cd6d406b438731
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 22117C74201700BFEB258FA5DC89F6B7BB9FBC6B51F1081A9B412962A0DBB1D8049620
                                                                                                                                                                                                                                                                                                                                                                                Function 00BF2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00BB2B6B
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C81418,?,00BB2E7F,?,?,?,00000000), ref: 00BB3A78
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD
                                                                                                                                                                                                                                                                                                                                                                                • GetForegroundWindow.USER32(runas,?,?,?,?,?,00C72224), ref: 00BF2C10
                                                                                                                                                                                                                                                                                                                                                                                • ShellExecuteW.SHELL32(00000000,?,?,00C72224), ref: 00BF2C17
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: runas
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 448630720-4000483414
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f94436bd0e0031e4d2a7a14be953e12292c8e8d0d1463739bf6b864669ed79c6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 134d3d666d36ceea01e9de6bd756618de802d05d7477bb21ce87ef86232309df
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f94436bd0e0031e4d2a7a14be953e12292c8e8d0d1463739bf6b864669ed79c6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0611B4312083456BC714FF60D891AFE7BE8AB91750F4854ADF546130A3CFE1894A8712
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 00C1D501
                                                                                                                                                                                                                                                                                                                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 00C1D50F
                                                                                                                                                                                                                                                                                                                                                                                • Process32NextW.KERNEL32(00000000,?), ref: 00C1D52F
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00C1D5DC
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 420147892-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: fc5dee23743ecec3257ef9485be2c72e79cd2f7c222426ac86715ff9151b575a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 31ee91551b9ce777fd4de20fb1e73525f0442426c96ab8c1f0729fe392c78243
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fc5dee23743ecec3257ef9485be2c72e79cd2f7c222426ac86715ff9151b575a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EB318F711083009FD300EF54D881BFFBBE8EF9A354F14096DF586861A1EBB19A85DB92
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • lstrlenW.KERNEL32(?,00BF5222), ref: 00C1DBCE
                                                                                                                                                                                                                                                                                                                                                                                • GetFileAttributesW.KERNEL32(?), ref: 00C1DBDD
                                                                                                                                                                                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 00C1DBEE
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 00C1DBFA
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2695905019-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: edbbf6364964bf7df6268bf5126befe00761c5afe957379ab4376c4ffc10dfd3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 48f6878c8d7fef67e64a214214fe3a0abb1f5c80af97422ee09e206a3d42953c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: edbbf6364964bf7df6268bf5126befe00761c5afe957379ab4376c4ffc10dfd3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CCF0A0388119105783306B78AC4DAEE377CAE03334B104B02F936C20F0EBF09A94D6D5
                                                                                                                                                                                                                                                                                                                                                                                Function 00C0D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: LocalTime
                                                                                                                                                                                                                                                                                                                                                                                • String ID: %.3d$X64
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 481472006-1077770165
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 4535e2483cf168d653878259ef987b70984fc5d30fce2d4889138620156cecfb
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: d28ad4f70c3e0e6950c4c1bb5917292f1c20f31b6b29687c68f1269db6ec69d7
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4535e2483cf168d653878259ef987b70984fc5d30fce2d4889138620156cecfb
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BDD012A5809119EACB9097D1CC85EB9B3BCBB08301F5084A6F80B91080D724CD08EB61
                                                                                                                                                                                                                                                                                                                                                                                Function 00BD4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32(00BE28E9,?,00BD4CBE,00BE28E9,00C788B8,0000000C,00BD4E15,00BE28E9,00000002,00000000,?,00BE28E9), ref: 00BD4D09
                                                                                                                                                                                                                                                                                                                                                                                • TerminateProcess.KERNEL32(00000000,?,00BD4CBE,00BE28E9,00C788B8,0000000C,00BD4E15,00BE28E9,00000002,00000000,?,00BE28E9), ref: 00BD4D10
                                                                                                                                                                                                                                                                                                                                                                                • ExitProcess.KERNEL32 ref: 00BD4D22
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1703294689-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 72202a91fa76d955df75a8055d7793cba8590d5808edc35156cd940d0077ff5f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 8eebb52858a3a9b7921cb328bc0f15b76a8f909abef51c582dc33b81d0cd11cc
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 72202a91fa76d955df75a8055d7793cba8590d5808edc35156cd940d0077ff5f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9BE0B635001188AFCF61AF64DD49B9C7BAAFB42791B144065FC058B232DB35DD42CB80
                                                                                                                                                                                                                                                                                                                                                                                Function 00C0D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetUserNameW.ADVAPI32(?,?), ref: 00C0D28C
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: NameUser
                                                                                                                                                                                                                                                                                                                                                                                • String ID: X64
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2645101109-893830106
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f1fb3aa2d72a7d0d8c6986f363cc459d514679b69b2824abf6d609445d453751
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: dbb1ceba4ba3d6041ea186c2373e4ab8f4754203d267381a8b7ed3ba81198d63
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f1fb3aa2d72a7d0d8c6986f363cc459d514679b69b2824abf6d609445d453751
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 20D0C9B880211DEBCB90CB90DCC8EDDB7BCBB04305F100195F106A2040D73095488F10
                                                                                                                                                                                                                                                                                                                                                                                Function 00BBBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: BuffCharUpper
                                                                                                                                                                                                                                                                                                                                                                                • String ID: x
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3964851224-3713776305
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: bdecb66400da70dd46e240612a5e6750e0865adfb23cfa6a072e0ccfe119e5df
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e538a403cd72423a911bbd607cfd9747db0a46a14c76f702c599e93f45808a4f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bdecb66400da70dd46e240612a5e6750e0865adfb23cfa6a072e0ccfe119e5df
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FDA25B706083419FD710DF18C480B6ABBE1FF89304F2589ADE99A9B352D7B1ED45CB92
                                                                                                                                                                                                                                                                                                                                                                                Function 00C3AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                control_flow_graph 0 c3aff9-c3b056 call bd2340 3 c3b094-c3b098 0->3 4 c3b058-c3b06b call bbb567 0->4 6 c3b09a-c3b0bb call bbb567 * 2 3->6 7 c3b0dd-c3b0e0 3->7 12 c3b0c8 4->12 13 c3b06d-c3b092 call bbb567 * 2 4->13 29 c3b0bf-c3b0c4 6->29 9 c3b0e2-c3b0e5 7->9 10 c3b0f5-c3b119 call bb7510 call bb7620 7->10 14 c3b0e8-c3b0ed call bbb567 9->14 31 c3b1d8-c3b1e0 10->31 32 c3b11f-c3b178 call bb7510 call bb7620 call bb7510 call bb7620 call bb7510 call bb7620 10->32 17 c3b0cb-c3b0cf 12->17 13->29 14->10 23 c3b0d1-c3b0d7 17->23 24 c3b0d9-c3b0db 17->24 23->14 24->7 24->10 29->7 33 c3b0c6 29->33 36 c3b1e2-c3b1fd call bb7510 call bb7620 31->36 37 c3b20a-c3b238 GetCurrentDirectoryW call bcfe0b GetCurrentDirectoryW 31->37 82 c3b1a6-c3b1d6 GetSystemDirectoryW call bcfe0b GetSystemDirectoryW 32->82 83 c3b17a-c3b195 call bb7510 call bb7620 32->83 33->17 36->37 53 c3b1ff-c3b208 call bd4963 36->53 45 c3b23c 37->45 48 c3b240-c3b244 45->48 51 c3b246-c3b270 call bb9c6e * 3 48->51 52 c3b275-c3b285 call c200d9 48->52 51->52 62 c3b287-c3b289 52->62 63 c3b28b-c3b2e1 call c207c0 call c206e6 call c205a7 52->63 53->37 53->52 66 c3b2ee-c3b2f2 62->66 63->66 98 c3b2e3 63->98 71 c3b39a-c3b3be CreateProcessW 66->71 72 c3b2f8-c3b321 call c111c8 66->72 76 c3b3c1-c3b3d4 call bcfe14 * 2 71->76 87 c3b323-c3b328 call c11201 72->87 88 c3b32a call c114ce 72->88 103 c3b3d6-c3b3e8 76->103 104 c3b42f-c3b43d CloseHandle 76->104 82->45 83->82 105 c3b197-c3b1a0 call bd4963 83->105 97 c3b32f-c3b33c call bd4963 87->97 88->97 113 c3b347-c3b357 call bd4963 97->113 114 c3b33e-c3b345 97->114 98->66 109 c3b3ea 103->109 110 c3b3ed-c3b3fc 103->110 107 c3b43f-c3b444 104->107 108 c3b49c 104->108 105->48 105->82 115 c3b451-c3b456 107->115 116 c3b446-c3b44c CloseHandle 107->116 111 c3b4a0-c3b4a4 108->111 109->110 117 c3b401-c3b42a GetLastError call bb630c call bbcfa0 110->117 118 c3b3fe 110->118 120 c3b4b2-c3b4bc 111->120 121 c3b4a6-c3b4b0 111->121 136 c3b362-c3b372 call bd4963 113->136 137 c3b359-c3b360 113->137 114->113 114->114 124 c3b463-c3b468 115->124 125 c3b458-c3b45e CloseHandle 115->125 116->115 127 c3b4e5-c3b4f6 call c20175 117->127 118->117 128 c3b4c4-c3b4e3 call bbcfa0 CloseHandle 120->128 129 c3b4be 120->129 121->127 131 c3b475-c3b49a call c209d9 call c3b536 124->131 132 c3b46a-c3b470 CloseHandle 124->132 125->124 128->127 129->128 131->111 132->131 146 c3b374-c3b37b 136->146 147 c3b37d-c3b398 call bcfe14 * 3 136->147 137->136 137->137 146->146 146->147 147->76
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C3B198
                                                                                                                                                                                                                                                                                                                                                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C3B1B0
                                                                                                                                                                                                                                                                                                                                                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C3B1D4
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C3B200
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C3B214
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C3B236
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C3B332
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C205A7: GetStdHandle.KERNEL32(000000F6), ref: 00C205C6
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C3B34B
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C3B366
                                                                                                                                                                                                                                                                                                                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C3B3B6
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(00000000), ref: 00C3B407
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 00C3B439
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00C3B44A
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00C3B45C
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00C3B46E
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 00C3B4E3
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2178637699-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ff451fbcd18c6cafa6463cb074aa3705aaddcce00f285ae5bf55344ba09ae840
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 9ec3e209dde6092750a8b118aaceba31645f9691e655d9c64ff0a7a34b95bba2
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ff451fbcd18c6cafa6463cb074aa3705aaddcce00f285ae5bf55344ba09ae840
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C1F1AC316183009FC724EF24C891B6FBBE5AF85310F14859DF99A9B2A2DB71ED44CB52
                                                                                                                                                                                                                                                                                                                                                                                Function 00BBD730 Relevance: 21.6, APIs: 14, Instructions: 621windowsleeptimeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetInputState.USER32 ref: 00BBD807
                                                                                                                                                                                                                                                                                                                                                                                • timeGetTime.WINMM ref: 00BBDA07
                                                                                                                                                                                                                                                                                                                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BBDB28
                                                                                                                                                                                                                                                                                                                                                                                • TranslateMessage.USER32(?), ref: 00BBDB7B
                                                                                                                                                                                                                                                                                                                                                                                • DispatchMessageW.USER32(?), ref: 00BBDB89
                                                                                                                                                                                                                                                                                                                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BBDB9F
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(0000000A), ref: 00BBDBB1
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2189390790-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 38b01bdea318581a282a6bfcd8f82022cba1a59c22ff140a4edae525402eee34
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: d202acbf9c01ef28899dbbe57add126e38cb6a0f3128f977a016d4e8868b2515
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 38b01bdea318581a282a6bfcd8f82022cba1a59c22ff140a4edae525402eee34
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F442D430608241DFD729CF24C888BBAB7E4FF45314F58469DE9A687291E7B4E944DB82
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 00BB2D07
                                                                                                                                                                                                                                                                                                                                                                                • RegisterClassExW.USER32(00000030), ref: 00BB2D31
                                                                                                                                                                                                                                                                                                                                                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BB2D42
                                                                                                                                                                                                                                                                                                                                                                                • InitCommonControlsEx.COMCTL32(?), ref: 00BB2D5F
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BB2D6F
                                                                                                                                                                                                                                                                                                                                                                                • LoadIconW.USER32(000000A9), ref: 00BB2D85
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BB2D94
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2914291525-1005189915
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 865a63ea4186848ed1b11b1436cd8316b6cc9667b51c0b489f4e4517296f4bf2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 5e32f6961f4a61667f8db52fe930ba847a4dea8bafccbd7e5fd45423743c8a7b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 865a63ea4186848ed1b11b1436cd8316b6cc9667b51c0b489f4e4517296f4bf2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F321C2B5912318AFDB40DFA4EC89BDDBBF8FB09700F04811AF911A62A0D7B15545CF95
                                                                                                                                                                                                                                                                                                                                                                                Function 00BF065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                control_flow_graph 457 bf065b-bf068b call bf042f 460 bf068d-bf0698 call bdf2c6 457->460 461 bf06a6-bf06b2 call be5221 457->461 466 bf069a-bf06a1 call bdf2d9 460->466 467 bf06cb-bf0714 call bf039a 461->467 468 bf06b4-bf06c9 call bdf2c6 call bdf2d9 461->468 477 bf097d-bf0983 466->477 475 bf0716-bf071f 467->475 476 bf0781-bf078a GetFileType 467->476 468->466 479 bf0756-bf077c GetLastError call bdf2a3 475->479 480 bf0721-bf0725 475->480 481 bf078c-bf07bd GetLastError call bdf2a3 CloseHandle 476->481 482 bf07d3-bf07d6 476->482 479->466 480->479 486 bf0727-bf0754 call bf039a 480->486 481->466 496 bf07c3-bf07ce call bdf2d9 481->496 484 bf07df-bf07e5 482->484 485 bf07d8-bf07dd 482->485 489 bf07e9-bf0837 call be516a 484->489 490 bf07e7 484->490 485->489 486->476 486->479 500 bf0839-bf0845 call bf05ab 489->500 501 bf0847-bf086b call bf014d 489->501 490->489 496->466 500->501 506 bf086f-bf0879 call be86ae 500->506 507 bf087e-bf08c1 501->507 508 bf086d 501->508 506->477 510 bf08c3-bf08c7 507->510 511 bf08e2-bf08f0 507->511 508->506 510->511 513 bf08c9-bf08dd 510->513 514 bf097b 511->514 515 bf08f6-bf08fa 511->515 513->511 514->477 515->514 516 bf08fc-bf092f CloseHandle call bf039a 515->516 519 bf0963-bf0977 516->519 520 bf0931-bf095d GetLastError call bdf2a3 call be5333 516->520 519->514 520->519
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BF039A: CreateFileW.KERNEL32(00000000,00000000,?,00BF0704,?,?,00000000,?,00BF0704,00000000,0000000C), ref: 00BF03B7
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00BF076F
                                                                                                                                                                                                                                                                                                                                                                                • __dosmaperr.LIBCMT ref: 00BF0776
                                                                                                                                                                                                                                                                                                                                                                                • GetFileType.KERNEL32(00000000), ref: 00BF0782
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00BF078C
                                                                                                                                                                                                                                                                                                                                                                                • __dosmaperr.LIBCMT ref: 00BF0795
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00BF07B5
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 00BF08FF
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00BF0931
                                                                                                                                                                                                                                                                                                                                                                                • __dosmaperr.LIBCMT ref: 00BF0938
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                                                                                                                                                                                                                                • String ID: H
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4237864984-2852464175
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: bc2d95566a750177b6250a2662818e9290fc7ef58e067cf3f397c6bae8d45162
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 35cb05d141bf184cbd41217ee4c2b6a54b3715ad5f7ef58ff3bdccd4ea4d7afe
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bc2d95566a750177b6250a2662818e9290fc7ef58e067cf3f397c6bae8d45162
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DCA11736A141088FDF19AF68D8917BE7BE0EB06320F144199F9159F3A2D7319D1ACB91
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C81418,?,00BB2E7F,?,?,?,00000000), ref: 00BB3A78
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00BB3379
                                                                                                                                                                                                                                                                                                                                                                                • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00BB356A
                                                                                                                                                                                                                                                                                                                                                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00BF318D
                                                                                                                                                                                                                                                                                                                                                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00BF31CE
                                                                                                                                                                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 00BF3210
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00BF3277
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00BF3286
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 98802146-2727554177
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 02cdb4ea7cd630e1d7716cd18a195627ded9e18f0bd31a338c3a97b12b05d1cf
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: dc4a7bef23cf977075ae48700408a741e05de2b2885b9840dd67cdac5bcf019d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 02cdb4ea7cd630e1d7716cd18a195627ded9e18f0bd31a338c3a97b12b05d1cf
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 207199714043019FC314EF69EC96AAFBBE8FF85740B40086EF585931B0EB749A48CB66
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 00BB2B8E
                                                                                                                                                                                                                                                                                                                                                                                • LoadCursorW.USER32(00000000,00007F00), ref: 00BB2B9D
                                                                                                                                                                                                                                                                                                                                                                                • LoadIconW.USER32(00000063), ref: 00BB2BB3
                                                                                                                                                                                                                                                                                                                                                                                • LoadIconW.USER32(000000A4), ref: 00BB2BC5
                                                                                                                                                                                                                                                                                                                                                                                • LoadIconW.USER32(000000A2), ref: 00BB2BD7
                                                                                                                                                                                                                                                                                                                                                                                • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00BB2BEF
                                                                                                                                                                                                                                                                                                                                                                                • RegisterClassExW.USER32(?), ref: 00BB2C40
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB2CD4: GetSysColorBrush.USER32(0000000F), ref: 00BB2D07
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB2CD4: RegisterClassExW.USER32(00000030), ref: 00BB2D31
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BB2D42
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00BB2D5F
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BB2D6F
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB2CD4: LoadIconW.USER32(000000A9), ref: 00BB2D85
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BB2D94
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: #$0$AutoIt v3
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 423443420-4155596026
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c1a19f9e01a36ba71cb43b5cb86914a090974c3af8bdefe72fdf4d8f6e3b2253
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ca43dd104a87206fc90acbd284142a3d2d9000f14b0bf000f7f1516ccc587263
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c1a19f9e01a36ba71cb43b5cb86914a090974c3af8bdefe72fdf4d8f6e3b2253
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8B212975E01318ABDB109FA5EC95BED7FF8FB48B50F08005AEA10A66B0D7B10541CF98
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                control_flow_graph 598 bb3170-bb3185 599 bb3187-bb318a 598->599 600 bb31e5-bb31e7 598->600 602 bb31eb 599->602 603 bb318c-bb3193 599->603 600->599 601 bb31e9 600->601 604 bb31d0-bb31d8 DefWindowProcW 601->604 605 bf2dfb-bf2e23 call bb18e2 call bce499 602->605 606 bb31f1-bb31f6 602->606 607 bb3199-bb319e 603->607 608 bb3265-bb326d PostQuitMessage 603->608 609 bb31de-bb31e4 604->609 642 bf2e28-bf2e2f 605->642 611 bb31f8-bb31fb 606->611 612 bb321d-bb3244 SetTimer RegisterWindowMessageW 606->612 614 bf2e7c-bf2e90 call c1bf30 607->614 615 bb31a4-bb31a8 607->615 610 bb3219-bb321b 608->610 610->609 616 bf2d9c-bf2d9f 611->616 617 bb3201-bb320f KillTimer call bb30f2 611->617 612->610 619 bb3246-bb3251 CreatePopupMenu I_RpcFreeBuffer 612->619 614->610 634 bf2e96 614->634 620 bb31ae-bb31b3 615->620 621 bf2e68-bf2e72 call c1c161 615->621 624 bf2dd7-bf2df6 MoveWindow 616->624 625 bf2da1-bf2da5 616->625 638 bb3214 call bb3c50 617->638 629 bb3253-bb3263 call bb326f 619->629 630 bf2e4d-bf2e54 620->630 631 bb31b9-bb31be 620->631 639 bf2e77 621->639 624->610 635 bf2da7-bf2daa 625->635 636 bf2dc6-bf2dd2 SetFocus 625->636 629->610 630->604 637 bf2e5a-bf2e63 call c10ad7 630->637 631->629 633 bb31c4-bb31ca 631->633 633->604 633->642 634->604 635->633 643 bf2db0-bf2dc1 call bb18e2 635->643 636->610 637->604 638->610 639->610 642->604 646 bf2e35-bf2e48 call bb30f2 call bb3837 642->646 643->610 646->604
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00BB316A,?,?), ref: 00BB31D8
                                                                                                                                                                                                                                                                                                                                                                                • KillTimer.USER32(?,00000001,?,?,?,?,?,00BB316A,?,?), ref: 00BB3204
                                                                                                                                                                                                                                                                                                                                                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00BB3227
                                                                                                                                                                                                                                                                                                                                                                                • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00BB316A,?,?), ref: 00BB3232
                                                                                                                                                                                                                                                                                                                                                                                • CreatePopupMenu.USER32 ref: 00BB3246
                                                                                                                                                                                                                                                                                                                                                                                • PostQuitMessage.USER32(00000000), ref: 00BB3267
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                                                                                                                                                                                                                                                                                • String ID: TaskbarCreated
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 129472671-2362178303
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 0cc3df4170f236ff8c6b28b9ac2d0ae3637b40c252575306c68312c90c2c1a3b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 88d0a50f092451faafd11787f5342207c568f98efb7e6cf5ba4ca18520fc4ea4
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0cc3df4170f236ff8c6b28b9ac2d0ae3637b40c252575306c68312c90c2c1a3b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DE411535240208A7DB146B7CDC8ABFD3ADDEB06B44F0801A5F902962B1CBF19E419765
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                control_flow_graph 654 bb1410-bb1449 655 bb144f-bb1465 mciSendStringW 654->655 656 bf24b8-bf24b9 DestroyWindow 654->656 657 bb146b-bb1473 655->657 658 bb16c6-bb16d3 655->658 659 bf24c4-bf24d1 656->659 657->659 660 bb1479-bb1488 call bb182e 657->660 661 bb16f8-bb16ff 658->661 662 bb16d5-bb16f0 UnregisterHotKey 658->662 663 bf24d3-bf24d6 659->663 664 bf2500-bf2507 659->664 675 bf250e-bf251a 660->675 676 bb148e-bb1496 660->676 661->657 667 bb1705 661->667 662->661 666 bb16f2-bb16f3 call bb10d0 662->666 668 bf24d8-bf24e0 call bb6246 663->668 669 bf24e2-bf24e5 FindClose 663->669 664->659 672 bf2509 664->672 666->661 667->658 674 bf24eb-bf24f8 668->674 669->674 672->675 674->664 678 bf24fa-bf24fb call c232b1 674->678 681 bf251c-bf251e FreeLibrary 675->681 682 bf2524-bf252b 675->682 679 bb149c-bb14c1 call bbcfa0 676->679 680 bf2532-bf253f 676->680 678->664 692 bb14f8-bb1503 CoUninitialize 679->692 693 bb14c3 679->693 684 bf2566-bf256d 680->684 685 bf2541-bf255e VirtualFree 680->685 681->682 682->675 683 bf252d 682->683 683->680 684->680 689 bf256f 684->689 685->684 688 bf2560-bf2561 call c23317 685->688 688->684 695 bf2574-bf2578 689->695 694 bb1509-bb150e 692->694 692->695 696 bb14c6-bb14f6 call bb1a05 call bb19ae 693->696 697 bf2589-bf2596 call c232eb 694->697 698 bb1514-bb151e 694->698 695->694 699 bf257e-bf2584 695->699 696->692 710 bf2598 697->710 701 bb1707-bb1714 call bcf80e 698->701 702 bb1524-bb152f call bb988f 698->702 699->694 701->702 715 bb171a 701->715 714 bb1535 call bb1944 702->714 716 bf259d-bf25bf call bcfdcd 710->716 717 bb153a-bb15a5 call bb17d5 call bcfe14 call bb177c call bb988f call bbcfa0 call bb17fe call bcfe14 714->717 715->701 722 bf25c1 716->722 717->716 744 bb15ab-bb15cf call bcfe14 717->744 725 bf25c6-bf25e8 call bcfdcd 722->725 732 bf25ea 725->732 735 bf25ef-bf2611 call bcfdcd 732->735 740 bf2613 735->740 743 bf2618-bf2625 call c164d4 740->743 749 bf2627 743->749 744->725 750 bb15d5-bb15f9 call bcfe14 744->750 752 bf262c-bf2639 call bcac64 749->752 750->735 755 bb15ff-bb1619 call bcfe14 750->755 759 bf263b 752->759 755->743 760 bb161f-bb1643 call bb17d5 call bcfe14 755->760 762 bf2640-bf264d call c23245 759->762 760->752 769 bb1649-bb1651 760->769 768 bf264f 762->768 770 bf2654-bf2661 call c232cc 768->770 769->762 771 bb1657-bb1668 call bb988f call bb190a 769->771 776 bf2663 770->776 778 bb166d-bb1675 771->778 779 bf2668-bf2675 call c232cc 776->779 778->770 780 bb167b-bb1689 778->780 785 bf2677 779->785 780->779 782 bb168f-bb16c5 call bb988f * 3 call bb1876 780->782 785->785
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00BB1459
                                                                                                                                                                                                                                                                                                                                                                                • CoUninitialize.COMBASE ref: 00BB14F8
                                                                                                                                                                                                                                                                                                                                                                                • UnregisterHotKey.USER32(?), ref: 00BB16DD
                                                                                                                                                                                                                                                                                                                                                                                • DestroyWindow.USER32(?), ref: 00BF24B9
                                                                                                                                                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(?), ref: 00BF251E
                                                                                                                                                                                                                                                                                                                                                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BF254B
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: close all
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 469580280-3243417748
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: cd7f7931ff33003728beb0e0b692908679270d34f89ffed6bff10ffb4b90910f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b54f5754329c1fa144bdd395c15c119f733d4c8b3f56dd776c2c66d2417357f8
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cd7f7931ff33003728beb0e0b692908679270d34f89ffed6bff10ffb4b90910f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BFD168316022129FCB29EF18C8A9B79F7E4BF15700F5445EDE54AAB262CB70AD16CF50
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB10F3 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 153comCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BB1BF4
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00BB1BFC
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BB1C07
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BB1C12
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00BB1C1A
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00BB1C22
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB1B4A: RegisterWindowMessageW.USER32(00000004,?,00BB12C4), ref: 00BB1BA2
                                                                                                                                                                                                                                                                                                                                                                                • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00BB136A
                                                                                                                                                                                                                                                                                                                                                                                • OleInitialize.OLE32 ref: 00BB1388
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,00000000), ref: 00BF24AB
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 0V$0$X$`,$
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1986988660-4264159714
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 451df4ac52b308600d9582d8cdd4fa2880a06d049ec7efca21b015245ef69514
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 6db8a2a94abc12d766229304d18584e9c13e8f5c99aa6d9ea72186266f28bebc
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 451df4ac52b308600d9582d8cdd4fa2880a06d049ec7efca21b015245ef69514
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7171BAB49112009FC784EF79A8567A93AE8FB8934475D856EA80AC72B2EB704402CF4C
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                control_flow_graph 836 c1de27-c1de4a WSAStartup 837 c1de50-c1de71 gethostname gethostbyname 836->837 838 c1dee6-c1def2 call bd4983 836->838 837->838 839 c1de73-c1de7a 837->839 846 c1def3-c1def6 838->846 841 c1de83-c1de85 839->841 842 c1de7c-c1de81 839->842 844 c1de87-c1de94 call bd4983 841->844 845 c1de96-c1dedb call bd0e20 inet_ntoa call bdd5f0 call c1ebd1 call bd4983 call bcfe14 841->845 842->841 842->842 851 c1dede-c1dee4 WSACleanup 844->851 845->851 851->846
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 0.0.0.0
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 642191829-3771769585
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: eeb60cd6fac390e1a369354d862bcb755fa2489e10cbed7fb2327308b48e5c91
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 6030055b7305eba7aed313020a9ba0e8e84091775b38aa12e0c138ef51bbf2f9
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: eeb60cd6fac390e1a369354d862bcb755fa2489e10cbed7fb2327308b48e5c91
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AE110631904105AFCB24AB719C4AFEE77ACEF12711F0001AAF4569A1A1FF748AC1DA50
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                control_flow_graph 870 bb2c63-bb2cd3 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00BB2C91
                                                                                                                                                                                                                                                                                                                                                                                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00BB2CB2
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(00000000,?,?,?,?,?,?,00BB1CAD,?), ref: 00BB2CC6
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(00000000,?,?,?,?,?,?,00BB1CAD,?), ref: 00BB2CCF
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$CreateShow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: AutoIt v3$edit
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1584632944-3779509399
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 7ce1be6d3bae71aeb8701aba9774e2692a004120560dfd6e49f9945e1484b3df
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 7d2ebc339895ff651619bd9f21ee0fef20dab80691564dcc9bd12ac39f6aa145
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7ce1be6d3bae71aeb8701aba9774e2692a004120560dfd6e49f9945e1484b3df
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8BF0DA755413A07AEB711B17AC48FBB2EBDE7C7F50B04005AFD00A25B0C6755852DBB8
                                                                                                                                                                                                                                                                                                                                                                                Function 00BBDFD0 Relevance: 10.2, APIs: 2, Strings: 3, Instructions: 1414COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID: x$Variable must be of type 'Object'.$$
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 0-963051460
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e82266605f8078fe816dece4cf98fc9ec68e1c665409946e5b9914274d9cd132
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 89d2cc40d1fd3f7f6861d6e589737af8bff8891798597b90319b371811162d5d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e82266605f8078fe816dece4cf98fc9ec68e1c665409946e5b9914274d9cd132
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FDC25771A002158FCB24CF58C885BFDB7F5EB08310F2485A9E966AB3A1D3B5ED41CB95
                                                                                                                                                                                                                                                                                                                                                                                Function 00BBEC40 Relevance: 9.9, APIs: 3, Strings: 2, Instructions: 1195COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • __Init_thread_footer.LIBCMT ref: 00BBFE66
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Init_thread_footer
                                                                                                                                                                                                                                                                                                                                                                                • String ID: x$$
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1385522511-1009475463
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: b0d3de362649b6a81c73f02d39d8cfce5894060549084ae4e67ce38effc42baa
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ce6b3943100b815c030792f62637ab69200d76a0608c36d9e9795a0ef9680255
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b0d3de362649b6a81c73f02d39d8cfce5894060549084ae4e67ce38effc42baa
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 73B25A74604342CFDB24CF18C890BBAB7E1FB99304F2448ADE9959B3A1D7B1E945CB52
                                                                                                                                                                                                                                                                                                                                                                                Function 00C0D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                control_flow_graph 1938 c0d3a0-c0d3a9 1939 c0d376-c0d37b 1938->1939 1940 c0d3ab-c0d3b7 LoadLibraryA 1938->1940 1941 c0d292-c0d2a8 1939->1941 1942 c0d3c9 1940->1942 1943 c0d3b9-c0d3c7 GetProcAddress 1940->1943 1947 c0d2a9 1941->1947 1944 c0d3ce-c0d3de 1942->1944 1943->1942 1943->1944 1944->1941 1948 c0d3e4-c0d3eb FreeLibrary 1944->1948 1947->1947 1948->1941
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • LoadLibraryA.KERNEL32 ref: 00C0D3AD
                                                                                                                                                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C0D3BF
                                                                                                                                                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00C0D3E5
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                                                                                                                                                                                                                • String ID: GetSystemWow64DirectoryW$X64
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 145871493-2590602151
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 543b9dd29ca7442c2bf2935bbb7f592edba3138d8c57b781b934bb81b5e363e8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: bf2e550ad6755cf68273bc07e25e5c05820583dfe2c1507fef5e2b5c2354c384
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 543b9dd29ca7442c2bf2935bbb7f592edba3138d8c57b781b934bb81b5e363e8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A9F0E57A806A21EBD7B167518C98B6DB774BF11B01F5581A9F817E20B4DB20CE44CB86
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00BB3B0F,SwapMouseButtons,00000004,?), ref: 00BB3B40
                                                                                                                                                                                                                                                                                                                                                                                • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00BB3B0F,SwapMouseButtons,00000004,?), ref: 00BB3B61
                                                                                                                                                                                                                                                                                                                                                                                • RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00BB3B0F,SwapMouseButtons,00000004,?), ref: 00BB3B83
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Control Panel\Mouse
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3677997916-824357125
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 8c9363757ad4085d6ce97facbd2802f756650bad1c7e238ba4d0cf8ff1fc88b6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f347fcef0af1847e5e5f1ff7586feb9236ee75f1a7d460a1a7c2cccfcc3cee1e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8c9363757ad4085d6ce97facbd2802f756650bad1c7e238ba4d0cf8ff1fc88b6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 54112AB5511208FFDB208FA5DC84AFEB7F8EF05B44B104599A805D7124D6719E409760
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00BF33A2
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB6B57: _wcslen.LIBCMT ref: 00BB6B6A
                                                                                                                                                                                                                                                                                                                                                                                • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00BB3A04
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: IconLoadNotifyShell_String_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Line:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2289894680-1585850449
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 24734586fe6fee7b01c65d1564a07c529c0f53d49df7c758b1fd952dfe93d34c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f80c8f8e10c5e85909519575f582571fb6ff37b4c8897d605a4d81768baf37df
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 24734586fe6fee7b01c65d1564a07c529c0f53d49df7c758b1fd952dfe93d34c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2031B471408304ABD725EB20DC45BFFB7DCAB40B10F1445AAF599931A1EBF49A49C7C6
                                                                                                                                                                                                                                                                                                                                                                                Function 00BCFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00BD0668
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BD32A4: RaiseException.KERNEL32(?,?,?,00BD068A,?,00C81444,?,?,?,?,?,?,00BD068A,00BB1129,00C78738,00BB1129), ref: 00BD3304
                                                                                                                                                                                                                                                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00BD0685
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Unknown exception
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3476068407-410509341
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 06bea099dbe35c8b4840df8db8e6b99a27cbcb6122e8bc9d85c79154a8ac7b6b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 438e8b0280248e2b3f63b96309ce22e12db8e5710e9dd903110b16480ee63218
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 06bea099dbe35c8b4840df8db8e6b99a27cbcb6122e8bc9d85c79154a8ac7b6b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E8F0C83490020D77CB04BA64E88AE5DF7ED9E00350F6041F6B914D6692FF71DA59C595
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00BB3A04
                                                                                                                                                                                                                                                                                                                                                                                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C1C259
                                                                                                                                                                                                                                                                                                                                                                                • KillTimer.USER32(?,00000001,?,?), ref: 00C1C261
                                                                                                                                                                                                                                                                                                                                                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C1C270
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: IconNotifyShell_Timer$Kill
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3500052701-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 353693e101a184e705c87c5672c7c7a8f69718d8dc811e095058a4841a745374
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e8d9ba9deb37036cb7f245bcb7e65cb03ed0e28b0ddb70ebc1ae02feecc45bc4
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 353693e101a184e705c87c5672c7c7a8f69718d8dc811e095058a4841a745374
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4C31C370944344AFEB328F64C8D5BEBBBECAB17304F04049AE5EA93241C7745AC5DB51
                                                                                                                                                                                                                                                                                                                                                                                Function 00BE86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,00000000,?,?,00BE85CC,?,00C78CC8,0000000C), ref: 00BE8704
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,00BE85CC,?,00C78CC8,0000000C), ref: 00BE870E
                                                                                                                                                                                                                                                                                                                                                                                • __dosmaperr.LIBCMT ref: 00BE8739
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2583163307-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 482519c91ac29b3b875ae3882dba305ff09a7687b5042932ba7510e9c03edf2d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 10fce9fd3c2cda5cc66b391a7ac0b3046233561f8b46b5338fd2c842bbcfb4f1
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 482519c91ac29b3b875ae3882dba305ff09a7687b5042932ba7510e9c03edf2d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ED018E32605AE01EC2706736688577E67C9CF82778F3901D9F81D8B1E2DFA4CC81C254
                                                                                                                                                                                                                                                                                                                                                                                Function 00BBDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • TranslateMessage.USER32(?), ref: 00BBDB7B
                                                                                                                                                                                                                                                                                                                                                                                • DispatchMessageW.USER32(?), ref: 00BBDB89
                                                                                                                                                                                                                                                                                                                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BBDB9F
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(0000000A), ref: 00BBDBB1
                                                                                                                                                                                                                                                                                                                                                                                • TranslateAcceleratorW.USER32(?,?,?), ref: 00C01CC9
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3288985973-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 9b03bc033a31ddcfd52300330f57a701b5c6242bd2e9db0179b63f57fa2228b5
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 7092d29969ba5e1a91cea631a2ee74a90f6e8a024831b924c913c5d460378854
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9b03bc033a31ddcfd52300330f57a701b5c6242bd2e9db0179b63f57fa2228b5
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 79F05E306453409BEB70CB60CC89FEE73ECEB49351F144668EA1AC30D0EB749548CB25
                                                                                                                                                                                                                                                                                                                                                                                Function 00BBB710 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 587COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • __Init_thread_footer.LIBCMT ref: 00BBBB4E
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Init_thread_footer
                                                                                                                                                                                                                                                                                                                                                                                • String ID: x
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1385522511-3713776305
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 4870141d688ac93638182017fdfbb4ab212286574cf638cf2ec636bf803a0f6c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b686ae3dc81e899dc32582cff69195833e91d58d40f520e9e9cd97c838d890d9
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4870141d688ac93638182017fdfbb4ab212286574cf638cf2ec636bf803a0f6c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6B328B74A002099FDB24CF54C898FBEB7F9EF44314F258099E955AB2A1C7B4EE41CB91
                                                                                                                                                                                                                                                                                                                                                                                Function 00BC1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • __Init_thread_footer.LIBCMT ref: 00BC17F6
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Init_thread_footer
                                                                                                                                                                                                                                                                                                                                                                                • String ID: CALL
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1385522511-4196123274
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 48f0c154dfcbcd43d3ef4838c29ce267c4ac8823552e3e2ee5301a4dedf6a870
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ee3fb85348a97af474d6e820cd9a0017a8a3572bb80c9c56f2583d42e1eaab2d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 48f0c154dfcbcd43d3ef4838c29ce267c4ac8823552e3e2ee5301a4dedf6a870
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 79227A706082019FC714DF18C884F2ABBF1BF96314F2489ADF4969B3A2D771E955CB92
                                                                                                                                                                                                                                                                                                                                                                                Function 00BC01E0 Relevance: 3.6, APIs: 2, Instructions: 643COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 0f5b526a80a57f9c4d1452827ef92826c147d57328c639ae6c339ec9cb358dd4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 8c87e197c32981104e52db77d1f98612e195aa4fcf8c8a54a74bbd98f0c7dea2
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0f5b526a80a57f9c4d1452827ef92826c147d57328c639ae6c339ec9cb358dd4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 17329D70A00605DFCB24EF94C885FBEB7F5EF04310F1485A9E966AB2A1D771AE40DB91
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetOpenFileNameW.COMDLG32(?), ref: 00BF2C8C
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BB3A97,?,?,00BB2E7F,?,?,?,00000000), ref: 00BB3AC2
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB2DA5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00BB2DC4
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Name$Path$FileFullLongOpen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: X
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 779396738-3081909835
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e89be81b8eee789c0e0f96649776c6c029bfca9357855465400edd79b409d9ff
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 343d603ab86c73d415cd0ef123805bb64a64c596b630297d41890bf151f2bde4
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e89be81b8eee789c0e0f96649776c6c029bfca9357855465400edd79b409d9ff
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6A216371A102589FDF41DF94C845BEE7BF8AF49714F008099E509A7241DBF49A49CF61
                                                                                                                                                                                                                                                                                                                                                                                Function 00C0D363 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetComputerNameW.KERNEL32(?,?), ref: 00C0D375
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ComputerName
                                                                                                                                                                                                                                                                                                                                                                                • String ID: X64
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3545744682-893830106
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 9db0e145c54f1c9287757ca79eaa4c124418bff55af41988ecc9ecb78e2ffc0e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 937b7198bd2f3477d400281e87a4dc7c84c4b0a3957d169d770b4593abb545d3
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9db0e145c54f1c9287757ca79eaa4c124418bff55af41988ecc9ecb78e2ffc0e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 76D0C9B9805118EBCB90CB81DCC8EDDB3BCBB04301F504195F003A2050D73099489B10
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BB3908
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: IconNotifyShell_
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1144537725-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: a3c6a1a39695180fac6d9be693463e4a95868671bd5b3491b1f9c57e6e4486ad
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 7206ba7222b8760bc850f9fc44295c08e7335447dd76f2952e82ecbc29f04e44
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a3c6a1a39695180fac6d9be693463e4a95868671bd5b3491b1f9c57e6e4486ad
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4131A270504701DFD721DF24D8847EBBBE8FB49B18F04096EFA9A83250E7B1AA44CB56
                                                                                                                                                                                                                                                                                                                                                                                Function 00BCF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • timeGetTime.WINMM ref: 00BCF661
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BBD730: GetInputState.USER32 ref: 00BBD807
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(00000000), ref: 00C0F2DE
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: InputSleepStateTimetime
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4149333218-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d42076fa9a606c5723b4405c422e43ff8bdcd62ed019bb8e485ea3fc624d9c26
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 724e6e83e29be935000c6dac125e2c3ea47442552db3500a6449b07f98383bea
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d42076fa9a606c5723b4405c422e43ff8bdcd62ed019bb8e485ea3fc624d9c26
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0BF08C352402059FD360EF69D499FAAB7E8FF56760F0000ADE85AC72A0DBB0A800CB91
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BB4EDD,?,00C81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BB4E9C
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BB4EAE
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB4E90: FreeLibrary.KERNEL32(00000000,?,?,00BB4EDD,?,00C81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BB4EC0
                                                                                                                                                                                                                                                                                                                                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00C81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BB4EFD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BF3CDE,?,00C81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BB4E62
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BB4E74
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB4E59: FreeLibrary.KERNEL32(00000000,?,?,00BF3CDE,?,00C81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BB4E87
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Library$Load$AddressFreeProc
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2632591731-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c83d32a6a470aa50b9191134951fee1a0bf297c03522b8ab4a2d70764934ae2d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 0bde90bc7ff6f853a3e97595b19f3b7b12d0c3fa966095478ac048f033d21567
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c83d32a6a470aa50b9191134951fee1a0bf297c03522b8ab4a2d70764934ae2d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1A11BF32600205ABCB24AB64DC42BFD77E5FF40B10F108469F546AB1D2EFB0EA459B50
                                                                                                                                                                                                                                                                                                                                                                                Function 00BE8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: __wsopen_s
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3347428461-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 1d7f3c2b2817566194958a733080d6627c8200e0bc65305a8ca0ee4d82f437f6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e6a51e245b05747e673344f527ea0d6be8b200dc543527365f039b339af7711f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1d7f3c2b2817566194958a733080d6627c8200e0bc65305a8ca0ee4d82f437f6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 06112A7590410AAFCF05DF59E941AAE7BF5EF48314F104099FC08AB352DB31DA15CBA5
                                                                                                                                                                                                                                                                                                                                                                                Function 00BE5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BE4C7D: RtlAllocateHeap.NTDLL(00000008,00BB1129,00000000,?,00BE2E29,00000001,00000364,?,?,?,00BDF2DE,00BE3863,00C81444,?,00BCFDF5,?), ref: 00BE4CBE
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BE506C
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: AllocateHeap_free
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 614378929-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 16beea4e5cba540c04e5f2da46fbebce1577a98bfb1923b619a51b5f39e434a2
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C50126722047486BE3318F669885A5AFBECFB89370F25066DF184832C1EB70A805C6B4
                                                                                                                                                                                                                                                                                                                                                                                Function 00BDE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 90fa97f529317bf4cbe0ea1965f389bf47151502aa641e5030cd582e17893e8d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C8F0F432510A149AC6313A6A9C05B5AB7DCDF53334F1007EBF4359A3D2EB74E80286A5
                                                                                                                                                                                                                                                                                                                                                                                Function 00BE4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000008,00BB1129,00000000,?,00BE2E29,00000001,00000364,?,?,?,00BDF2DE,00BE3863,00C81444,?,00BCFDF5,?), ref: 00BE4CBE
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: AllocateHeap
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1279760036-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ee1ba7183f64e21b5060412e9cc7f21b2463629612850ea1056785af7409c28e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 2007fcd3d04adf9a42ca67fdf9062bf66a696ca62633608dc3260f30d4fa44a2
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ee1ba7183f64e21b5060412e9cc7f21b2463629612850ea1056785af7409c28e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6BF0E2316072A4A7DB215F639C09B5B77C8FF817A0B3841A2BC1AAB790DB70D80186E0
                                                                                                                                                                                                                                                                                                                                                                                Function 00BE3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000,?,00C81444,?,00BCFDF5,?,?,00BBA976,00000010,00C81440,00BB13FC,?,00BB13C6,?,00BB1129), ref: 00BE3852
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: AllocateHeap
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1279760036-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c9fc1510641bc0c859a7ca71a6e019a22d20a9bc967bca1c66c8cffcb9bcfcd2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 27791fe13d994061070994c1b50937b86000a53e82d4cea47252b9d47367acf8
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c9fc1510641bc0c859a7ca71a6e019a22d20a9bc967bca1c66c8cffcb9bcfcd2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F1E0E5311012A4A7D63126679C09B9A77C8EB82FB0F0501A2BC0593590EB20DD0183E4
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(?,?,00C81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BB4F6D
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: FreeLibrary
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3664257935-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 94e9ef077fee230a420ebefff6ea47bf5edb46a2cf90bf507ead8a8404267c29
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f05e55a71247dc3eb9114b3ba1acc8bc147bc289d2ad5efb84a9bc5120865dcd
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 94e9ef077fee230a420ebefff6ea47bf5edb46a2cf90bf507ead8a8404267c29
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EEF01571505752CFDB349F64D4909B6BBE4FF1432932089AEE1EE83622C7B19844DF10
                                                                                                                                                                                                                                                                                                                                                                                Function 00C42A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • IsWindow.USER32(00000000), ref: 00C42A66
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2353593579-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 233f93b5030ef05fb656cf5e1ae7913845ed8fbf9ec6b2c543965f62d3f0e6cd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 38d56d38495ac7ad2583d95ee6dc22ecd3df5fc3fac83f770d8bc21cf9829241
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 233f93b5030ef05fb656cf5e1ae7913845ed8fbf9ec6b2c543965f62d3f0e6cd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EBE08636350126AAC754EB31EC859FE735CFF51395B504536FC26C3150DB309A96B6E0
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00BB314E
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: IconNotifyShell_
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1144537725-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 9a3c24dca595dfde18e0b9bf66ca6ccf932c192af53a2871f58944736a1356a3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 2e5e6e640d3e8de39b61614abc128c27fd7a57e9dab8325ffc528156fc2aa07a
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9a3c24dca595dfde18e0b9bf66ca6ccf932c192af53a2871f58944736a1356a3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 35F037709143549FEB529B24DC467D97BFCA701708F0400E5A548A6291E7745B89CF55
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00BB2DC4
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB6B57: _wcslen.LIBCMT ref: 00BB6B6A
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: LongNamePath_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 541455249-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e99bf3bb6f886a0873a73402ed0bb63da4450ab69ebd6f73f72d075a8a5c47c4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f97febe97fba816bf6dfa948c5c4f4cbd8a617630c5d5f1269337adf37bbbc33
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e99bf3bb6f886a0873a73402ed0bb63da4450ab69ebd6f73f72d075a8a5c47c4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 60E0CD766011245BC7209258DC06FEA77EDDFC8790F0400B1FE09D7258D9A4AD848550
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BB3908
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BBD730: GetInputState.USER32 ref: 00BBD807
                                                                                                                                                                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00BB2B6B
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00BB314E
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3667716007-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 9c89456c0649e3b8e2492d997b717f407f041d705608135654fb671b06b4b773
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: a160c843d4402ef8ebbcaaca50b49797f61c585d8a58d25215c30119fb9ac16d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9c89456c0649e3b8e2492d997b717f407f041d705608135654fb671b06b4b773
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ADE0862130424407CA04BB759852BFDA7D99BD1755F4415BEF54243163DEA589464352
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1DF27 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00C1DF40
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB6B57: _wcslen.LIBCMT ref: 00BB6B6A
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: FolderPath_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2987691875-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 74956d724a89ab863ee2da47dc72e2fa63ad3e2f88fe047ebc651f1bb9950d00
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 3c0dd0b1720bb0032c4035aad4de3366941d209f45f642b37db7b42ee649d0ec
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 74956d724a89ab863ee2da47dc72e2fa63ad3e2f88fe047ebc651f1bb9950d00
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 12D05EA6A002282BDF60A6749D0EEFB3AACD740210F0006A0786DD3152E964DD4486B0
                                                                                                                                                                                                                                                                                                                                                                                Function 00BF039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CreateFileW.KERNEL32(00000000,00000000,?,00BF0704,?,?,00000000,?,00BF0704,00000000,0000000C), ref: 00BF03B7
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CreateFile
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 823142352-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f3d15a855fbe583d549d94eb9ac012e34debfbf0f4c85f6052ce82a02135d60e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: bc4c99680e6d3cac7b6514d30b1e90f985a0198920faea333200707769de90bb
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f3d15a855fbe583d549d94eb9ac012e34debfbf0f4c85f6052ce82a02135d60e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5BD06C3204010DBBDF028F84DD46EDE3BAAFB48714F014000BE1856020C732E821AB90
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00BB1CBC
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: InfoParametersSystem
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3098949447-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 2a29f85561cfe407c0aad83775d1f628030cb75e15e61196480593fc9164d1c6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 67716889e1e81f9728942d338234d387d356241ac300222d5dc6b7f29ba84c24
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2a29f85561cfe407c0aad83775d1f628030cb75e15e61196480593fc9164d1c6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DFC04C352802049AE2144B80BC4AF587754A348B00F044001F609555F382A12410A754

                                                                                                                                                                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                                                                                                                                                                Function 00C49576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BC9BB2
                                                                                                                                                                                                                                                                                                                                                                                • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00C4961A
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C4965B
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00C4969F
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C496C9
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32 ref: 00C496F2
                                                                                                                                                                                                                                                                                                                                                                                • GetKeyState.USER32(00000011), ref: 00C4978B
                                                                                                                                                                                                                                                                                                                                                                                • GetKeyState.USER32(00000009), ref: 00C49798
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C497AE
                                                                                                                                                                                                                                                                                                                                                                                • GetKeyState.USER32(00000010), ref: 00C497B8
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C497E9
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32 ref: 00C49810
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001030,?,00C47E95), ref: 00C49918
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00C4992E
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00C49941
                                                                                                                                                                                                                                                                                                                                                                                • SetCapture.USER32(?), ref: 00C4994A
                                                                                                                                                                                                                                                                                                                                                                                • ClientToScreen.USER32(?,?), ref: 00C499AF
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00C499BC
                                                                                                                                                                                                                                                                                                                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C499D6
                                                                                                                                                                                                                                                                                                                                                                                • ReleaseCapture.USER32 ref: 00C499E1
                                                                                                                                                                                                                                                                                                                                                                                • GetCursorPos.USER32(?), ref: 00C49A19
                                                                                                                                                                                                                                                                                                                                                                                • ScreenToClient.USER32(?,?), ref: 00C49A26
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C49A80
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32 ref: 00C49AAE
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C49AEB
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32 ref: 00C49B1A
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C49B3B
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00C49B4A
                                                                                                                                                                                                                                                                                                                                                                                • GetCursorPos.USER32(?), ref: 00C49B68
                                                                                                                                                                                                                                                                                                                                                                                • ScreenToClient.USER32(?,?), ref: 00C49B75
                                                                                                                                                                                                                                                                                                                                                                                • GetParent.USER32(?), ref: 00C49B93
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C49BFA
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32 ref: 00C49C2B
                                                                                                                                                                                                                                                                                                                                                                                • ClientToScreen.USER32(?,?), ref: 00C49C84
                                                                                                                                                                                                                                                                                                                                                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00C49CB4
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C49CDE
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32 ref: 00C49D01
                                                                                                                                                                                                                                                                                                                                                                                • ClientToScreen.USER32(?,?), ref: 00C49D4E
                                                                                                                                                                                                                                                                                                                                                                                • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00C49D82
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC9944: GetWindowLongW.USER32(?,000000EB), ref: 00BC9952
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00C49E05
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                                                                                                                                                                                                                                                                                                                                                • String ID: x$@GUI_DRAGID$F
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3429851547-1409184586
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: cf7e9d3dd1ac7340767ce7122804712019fc7a5f5890dc4ed5393b05338a5af1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e8e12c7456804b518f27d467420170db3f71a08b87ea073e7c9d4136e9fe3f85
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cf7e9d3dd1ac7340767ce7122804712019fc7a5f5890dc4ed5393b05338a5af1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FF427734604611AFDB20CF28C884FABBBF9FF49320F154659FAA9872A1D731A951CF51
                                                                                                                                                                                                                                                                                                                                                                                Function 00C44873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00C448F3
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00C44908
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00C44927
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00C4494B
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00C4495C
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00C4497B
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00C449AE
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00C449D4
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00C44A0F
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00C44A56
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00C44A7E
                                                                                                                                                                                                                                                                                                                                                                                • IsMenu.USER32(?), ref: 00C44A97
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C44AF2
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C44B20
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00C44B94
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00C44BE3
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00C44C82
                                                                                                                                                                                                                                                                                                                                                                                • wsprintfW.USER32 ref: 00C44CAE
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C44CC9
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowTextW.USER32(?,00000000,00000001), ref: 00C44CF1
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C44D13
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C44D33
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowTextW.USER32(?,00000000,00000001), ref: 00C44D5A
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                                                                                                                                                                                                                                                                                                                                                • String ID: %d/%02d/%02d
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4054740463-328681919
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 421a3bfbce26930eade418d98175555f5a4b8eed60687f13e1421c9e33914ec1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 9e3dc55b6d868b8dde43cdf318a5dc3b886e7166a48b535d1a6dce9120110622
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 421a3bfbce26930eade418d98175555f5a4b8eed60687f13e1421c9e33914ec1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4412F271A00215ABEB288F65CC49FAE7BF8FF45710F204169F926DB2E1DB749A41CB50
                                                                                                                                                                                                                                                                                                                                                                                Function 00BCF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00BCF998
                                                                                                                                                                                                                                                                                                                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C0F474
                                                                                                                                                                                                                                                                                                                                                                                • IsIconic.USER32(00000000), ref: 00C0F47D
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(00000000,00000009), ref: 00C0F48A
                                                                                                                                                                                                                                                                                                                                                                                • SetForegroundWindow.USER32(00000000), ref: 00C0F494
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C0F4AA
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00C0F4B1
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C0F4BD
                                                                                                                                                                                                                                                                                                                                                                                • AttachThreadInput.USER32(?,00000000,00000001), ref: 00C0F4CE
                                                                                                                                                                                                                                                                                                                                                                                • AttachThreadInput.USER32(?,00000000,00000001), ref: 00C0F4D6
                                                                                                                                                                                                                                                                                                                                                                                • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00C0F4DE
                                                                                                                                                                                                                                                                                                                                                                                • SetForegroundWindow.USER32(00000000), ref: 00C0F4E1
                                                                                                                                                                                                                                                                                                                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C0F4F6
                                                                                                                                                                                                                                                                                                                                                                                • keybd_event.USER32(00000012,00000000), ref: 00C0F501
                                                                                                                                                                                                                                                                                                                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C0F50B
                                                                                                                                                                                                                                                                                                                                                                                • keybd_event.USER32(00000012,00000000), ref: 00C0F510
                                                                                                                                                                                                                                                                                                                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C0F519
                                                                                                                                                                                                                                                                                                                                                                                • keybd_event.USER32(00000012,00000000), ref: 00C0F51E
                                                                                                                                                                                                                                                                                                                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C0F528
                                                                                                                                                                                                                                                                                                                                                                                • keybd_event.USER32(00000012,00000000), ref: 00C0F52D
                                                                                                                                                                                                                                                                                                                                                                                • SetForegroundWindow.USER32(00000000), ref: 00C0F530
                                                                                                                                                                                                                                                                                                                                                                                • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00C0F557
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Shell_TrayWnd
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4125248594-2988720461
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: a39e61028d3f4c4838a31440bf5ce7b60a881add5d1fdf9b2c842a7c0df228f9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e6ad013148663f523fc75457f2c879485ba6847c398b00b8859e48f911a91f0f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a39e61028d3f4c4838a31440bf5ce7b60a881add5d1fdf9b2c842a7c0df228f9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A6317275A41218BBEB306BB55C8AFBF7E6CFB45B50F100069FA00E61E1C6B06D41EA60
                                                                                                                                                                                                                                                                                                                                                                                Function 00C11201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C1170D
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C1173A
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C116C3: GetLastError.KERNEL32 ref: 00C1174A
                                                                                                                                                                                                                                                                                                                                                                                • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00C11286
                                                                                                                                                                                                                                                                                                                                                                                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00C112A8
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 00C112B9
                                                                                                                                                                                                                                                                                                                                                                                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C112D1
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessWindowStation.USER32 ref: 00C112EA
                                                                                                                                                                                                                                                                                                                                                                                • SetProcessWindowStation.USER32(00000000), ref: 00C112F4
                                                                                                                                                                                                                                                                                                                                                                                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C11310
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C110BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C111FC), ref: 00C110D4
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C110BF: CloseHandle.KERNEL32(?,?,00C111FC), ref: 00C110E9
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                                                                                                                                                                                                                                                                                                                                • String ID: $default$winsta0
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 22674027-1027155976
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 1281ca6ebde4699f938d7eb64e865edbf40522f13d59a1118cfbbf2006b65987
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 8e976f47095fbc10ca37da522fc2286360b0a51f207509c5d33f1a873a062417
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1281ca6ebde4699f938d7eb64e865edbf40522f13d59a1118cfbbf2006b65987
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6981A271900209AFDF109FA4DC49FEE7BB9FF06704F184129FE20A61A0D7798A84DB61
                                                                                                                                                                                                                                                                                                                                                                                Function 00C10B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C11114
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C10B9B,?,?,?), ref: 00C11120
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C10B9B,?,?,?), ref: 00C1112F
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C10B9B,?,?,?), ref: 00C11136
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C1114D
                                                                                                                                                                                                                                                                                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C10BCC
                                                                                                                                                                                                                                                                                                                                                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C10C00
                                                                                                                                                                                                                                                                                                                                                                                • GetLengthSid.ADVAPI32(?), ref: 00C10C17
                                                                                                                                                                                                                                                                                                                                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 00C10C51
                                                                                                                                                                                                                                                                                                                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C10C6D
                                                                                                                                                                                                                                                                                                                                                                                • GetLengthSid.ADVAPI32(?), ref: 00C10C84
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C10C8C
                                                                                                                                                                                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000), ref: 00C10C93
                                                                                                                                                                                                                                                                                                                                                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C10CB4
                                                                                                                                                                                                                                                                                                                                                                                • CopySid.ADVAPI32(00000000), ref: 00C10CBB
                                                                                                                                                                                                                                                                                                                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C10CEA
                                                                                                                                                                                                                                                                                                                                                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C10D0C
                                                                                                                                                                                                                                                                                                                                                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C10D1E
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C10D45
                                                                                                                                                                                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 00C10D4C
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C10D55
                                                                                                                                                                                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 00C10D5C
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C10D65
                                                                                                                                                                                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 00C10D6C
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00C10D78
                                                                                                                                                                                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 00C10D7F
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C11193: GetProcessHeap.KERNEL32(00000008,00C10BB1,?,00000000,?,00C10BB1,?), ref: 00C111A1
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C11193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C10BB1,?), ref: 00C111A8
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C11193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C10BB1,?), ref: 00C111B7
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4175595110-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 2f490a36e63641514ba8421c201cd08c78572552bdbed593799bdd2d1ea729f9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 75dcbdb2deb27b699557aad378725cb98d873e3367811db36c683a94e60e6ab5
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2f490a36e63641514ba8421c201cd08c78572552bdbed593799bdd2d1ea729f9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1C717E7590120AABDF10DFA4DC84BEEBBB8BF06300F148515E914A61A1D7B5AA85DBA0
                                                                                                                                                                                                                                                                                                                                                                                Function 00C2EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • OpenClipboard.USER32(00C4CC08), ref: 00C2EB29
                                                                                                                                                                                                                                                                                                                                                                                • IsClipboardFormatAvailable.USER32(0000000D), ref: 00C2EB37
                                                                                                                                                                                                                                                                                                                                                                                • GetClipboardData.USER32(0000000D), ref: 00C2EB43
                                                                                                                                                                                                                                                                                                                                                                                • CloseClipboard.USER32 ref: 00C2EB4F
                                                                                                                                                                                                                                                                                                                                                                                • GlobalLock.KERNEL32(00000000), ref: 00C2EB87
                                                                                                                                                                                                                                                                                                                                                                                • CloseClipboard.USER32 ref: 00C2EB91
                                                                                                                                                                                                                                                                                                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00C2EBBC
                                                                                                                                                                                                                                                                                                                                                                                • IsClipboardFormatAvailable.USER32(00000001), ref: 00C2EBC9
                                                                                                                                                                                                                                                                                                                                                                                • GetClipboardData.USER32(00000001), ref: 00C2EBD1
                                                                                                                                                                                                                                                                                                                                                                                • GlobalLock.KERNEL32(00000000), ref: 00C2EBE2
                                                                                                                                                                                                                                                                                                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00C2EC22
                                                                                                                                                                                                                                                                                                                                                                                • IsClipboardFormatAvailable.USER32(0000000F), ref: 00C2EC38
                                                                                                                                                                                                                                                                                                                                                                                • GetClipboardData.USER32(0000000F), ref: 00C2EC44
                                                                                                                                                                                                                                                                                                                                                                                • GlobalLock.KERNEL32(00000000), ref: 00C2EC55
                                                                                                                                                                                                                                                                                                                                                                                • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00C2EC77
                                                                                                                                                                                                                                                                                                                                                                                • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C2EC94
                                                                                                                                                                                                                                                                                                                                                                                • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C2ECD2
                                                                                                                                                                                                                                                                                                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00C2ECF3
                                                                                                                                                                                                                                                                                                                                                                                • CountClipboardFormats.USER32 ref: 00C2ED14
                                                                                                                                                                                                                                                                                                                                                                                • CloseClipboard.USER32 ref: 00C2ED59
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 420908878-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 33a942cf6b7902f653fadd89a0f3ddb8d7239d22040f7e20d5b53515f2479f7a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 36193ca4cd80d6c99340e456361d9a29b66046f7f6031b649d55590950e9dd5d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 33a942cf6b7902f653fadd89a0f3ddb8d7239d22040f7e20d5b53515f2479f7a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9A61BF342042019FD310EF24E885FBE7BE4BF85714F184559F856A76A2CBB1DE45CB62
                                                                                                                                                                                                                                                                                                                                                                                Function 00C2698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 00C269BE
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 00C26A12
                                                                                                                                                                                                                                                                                                                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C26A4E
                                                                                                                                                                                                                                                                                                                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C26A75
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD
                                                                                                                                                                                                                                                                                                                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00C26AB2
                                                                                                                                                                                                                                                                                                                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00C26ADF
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3830820486-3289030164
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c2038c5fc4e133c97ce4f90d3bf8321f085263c6a8c41998b3f4a1858c1d679b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: c78b16351ad6b6b023709ca5d583934b3769f099c5671e9fafe7a77024051152
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c2038c5fc4e133c97ce4f90d3bf8321f085263c6a8c41998b3f4a1858c1d679b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A2D14E72508300AFC714EBA4D891EBFB7ECAF88704F44495DF589D6191EBB4DA48CB62
                                                                                                                                                                                                                                                                                                                                                                                Function 00C29642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 00C29663
                                                                                                                                                                                                                                                                                                                                                                                • GetFileAttributesW.KERNEL32(?), ref: 00C296A1
                                                                                                                                                                                                                                                                                                                                                                                • SetFileAttributesW.KERNEL32(?,?), ref: 00C296BB
                                                                                                                                                                                                                                                                                                                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00C296D3
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 00C296DE
                                                                                                                                                                                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 00C296FA
                                                                                                                                                                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C2974A
                                                                                                                                                                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(00C76B7C), ref: 00C29768
                                                                                                                                                                                                                                                                                                                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C29772
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 00C2977F
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 00C2978F
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                                                                                                                                                                                                                                                                                • String ID: *.*
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1409584000-438819550
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 2e8a4a69af8b780ca4d629518b3e25431957df8a6b2bb8a186ad25fd1b8d833c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 79973da53a30c825208723e689243cb5a8a14950a7a78fd2aeb5881e2751c443
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2e8a4a69af8b780ca4d629518b3e25431957df8a6b2bb8a186ad25fd1b8d833c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4031D5365016296BDB60EFB5EC49BDE77BCEF0A320F104166F915E21A0EB74DE448A14
                                                                                                                                                                                                                                                                                                                                                                                Function 00C2979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 00C297BE
                                                                                                                                                                                                                                                                                                                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00C29819
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 00C29824
                                                                                                                                                                                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 00C29840
                                                                                                                                                                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C29890
                                                                                                                                                                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(00C76B7C), ref: 00C298AE
                                                                                                                                                                                                                                                                                                                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C298B8
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 00C298C5
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 00C298D5
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C1DB00
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                                                                                                                                                                                                                                                                                                                • String ID: *.*
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2640511053-438819550
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 5a6fe00c87fb28633c3a046c46e39fb5c796e0ba7b85d4107ec37136561b759a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 59dbbb366865751826e9c3beb31b622a0f27fe228dec6a996a5affcd9e1b4e3d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5a6fe00c87fb28633c3a046c46e39fb5c796e0ba7b85d4107ec37136561b759a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0D31D6355016296BDB24EFB5EC88BDE77BCEF07320F144166E924E21E1DB70DA44CA24
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BB3A97,?,?,00BB2E7F,?,?,?,00000000), ref: 00BB3AC2
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1E199: GetFileAttributesW.KERNEL32(?,00C1CF95), ref: 00C1E19A
                                                                                                                                                                                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 00C1D122
                                                                                                                                                                                                                                                                                                                                                                                • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00C1D1DD
                                                                                                                                                                                                                                                                                                                                                                                • MoveFileW.KERNEL32(?,?), ref: 00C1D1F0
                                                                                                                                                                                                                                                                                                                                                                                • DeleteFileW.KERNEL32(?,?,?,?), ref: 00C1D20D
                                                                                                                                                                                                                                                                                                                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C1D237
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00C1D21C,?,?), ref: 00C1D2B2
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000,?,?,?), ref: 00C1D253
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 00C1D264
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                                                                                                                                                                                                                                                                                                                                • String ID: \*.*
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1946585618-1173974218
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: b0be17fc0a34bb72cafcd921b2fcd0f393a13d0f78f9c84f1d8bba6da8e42c67
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f2c6b907a6fe04eb11c2cc9695ba42b026b4e4477ea720971a8360eeccf623b4
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b0be17fc0a34bb72cafcd921b2fcd0f393a13d0f78f9c84f1d8bba6da8e42c67
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 00614C3180110DABCF15EBE4DD92AFDB7B5AF16300F2441A5E412771A2EB70AF49EB61
                                                                                                                                                                                                                                                                                                                                                                                Function 00C2ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1737998785-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: bd02e964135344dd5acc104a393039db510fa01c14e21983ea7407b13c1c8176
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 8a45f15de67492ade3f9a344c53eb223a21085ec79ea0791b7675e1574b4db0f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bd02e964135344dd5acc104a393039db510fa01c14e21983ea7407b13c1c8176
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A341BD35205621AFD320CF15E888B69BBE5FF45318F15C099E4299BB72C775ED41CB90
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C1170D
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C1173A
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C116C3: GetLastError.KERNEL32 ref: 00C1174A
                                                                                                                                                                                                                                                                                                                                                                                • ExitWindowsEx.USER32(?,00000000), ref: 00C1E932
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                                                                                                                                                                                                                                                                                • String ID: $ $@$SeShutdownPrivilege
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2234035333-3163812486
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 88aca2eb08c85d2cc700af018115e37e8d61eddb06460256e65630a4204a252b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 0a08a7c762c50c260cd82cbd38b39ae68fa240cd94944e68809d6421fb879a68
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 88aca2eb08c85d2cc700af018115e37e8d61eddb06460256e65630a4204a252b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F1014932A10311ABEB6422B59CC6FFF725CAB0A750F184422FD13E20E1D5A55DC0B2A0
                                                                                                                                                                                                                                                                                                                                                                                Function 00C31204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C31276
                                                                                                                                                                                                                                                                                                                                                                                • WSAGetLastError.WSOCK32 ref: 00C31283
                                                                                                                                                                                                                                                                                                                                                                                • bind.WSOCK32(00000000,?,00000010), ref: 00C312BA
                                                                                                                                                                                                                                                                                                                                                                                • WSAGetLastError.WSOCK32 ref: 00C312C5
                                                                                                                                                                                                                                                                                                                                                                                • closesocket.WSOCK32(00000000), ref: 00C312F4
                                                                                                                                                                                                                                                                                                                                                                                • listen.WSOCK32(00000000,00000005), ref: 00C31303
                                                                                                                                                                                                                                                                                                                                                                                • WSAGetLastError.WSOCK32 ref: 00C3130D
                                                                                                                                                                                                                                                                                                                                                                                • closesocket.WSOCK32(00000000), ref: 00C3133C
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorLast$closesocket$bindlistensocket
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 540024437-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: cd85aa78ef6e54d71b4f900fe084797f4eb11335b38cbe98d29727476a4a134f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 93aeac77cc90433c16d95ed85085ccaf671056426310e24a294811fc4baaddbd
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cd85aa78ef6e54d71b4f900fe084797f4eb11335b38cbe98d29727476a4a134f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DB417F35A001409FD710DF64C488B6ABBE5BF86318F188198E8669F2E7C771ED85CBE1
                                                                                                                                                                                                                                                                                                                                                                                Function 00BEB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BEB9D4
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BEB9F8
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BEBB7F
                                                                                                                                                                                                                                                                                                                                                                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00C53700), ref: 00BEBB91
                                                                                                                                                                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00C8121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00BEBC09
                                                                                                                                                                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00C81270,000000FF,?,0000003F,00000000,?), ref: 00BEBC36
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BEBD4B
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 314583886-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 64087830c858c709acb1f0a31a77607598e7092daf55b95a6112dedb3270b193
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: c3f9938be724c8dbba2a2227ebd36984c9f5baa1f69c6209eeba5b6ada1f9b44
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 64087830c858c709acb1f0a31a77607598e7092daf55b95a6112dedb3270b193
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7FC11775904285AFDB249F7A8C41FAF7BF9EF41310F1841EAE894D7252EB309E418B94
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BB3A97,?,?,00BB2E7F,?,?,?,00000000), ref: 00BB3AC2
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1E199: GetFileAttributesW.KERNEL32(?,00C1CF95), ref: 00C1E19A
                                                                                                                                                                                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 00C1D420
                                                                                                                                                                                                                                                                                                                                                                                • DeleteFileW.KERNEL32(?,?,?,?), ref: 00C1D470
                                                                                                                                                                                                                                                                                                                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C1D481
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 00C1D498
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 00C1D4A1
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                                                                                                                                                                                                                                                                                                                • String ID: \*.*
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2649000838-1173974218
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c70c24e28b3169605bb878a7af529c1fdac0efd3144ef017072e348604d6a27e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 439c5cb4ab946c749406b8f1cab3aa5227e16811e53ef528f032aad5f98d2d6f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c70c24e28b3169605bb878a7af529c1fdac0efd3144ef017072e348604d6a27e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0B317031009341ABC314EF64D8919FF77E8BE96300F444A5DF4D2921A1EBA0EA49D763
                                                                                                                                                                                                                                                                                                                                                                                Function 00BEE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: __floor_pentium4
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4168288129-2761157908
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 13f4ddfcd36951c0da0520b5bad09ad6f87a84494ca038bf34ee8002872dc890
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1531563f4103da3a10ef3d12b9cd104e4a3273b878d8c21ff17b997690b4ff58
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 13f4ddfcd36951c0da0520b5bad09ad6f87a84494ca038bf34ee8002872dc890
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 87C24971E046698FDB25CE29DD807EAB7F5EB48305F1441EAD81EE7241E774AE818F40
                                                                                                                                                                                                                                                                                                                                                                                Function 00C2648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C264DC
                                                                                                                                                                                                                                                                                                                                                                                • CoInitialize.OLE32(00000000), ref: 00C26639
                                                                                                                                                                                                                                                                                                                                                                                • CoCreateInstance.OLE32(00C4FCF8,00000000,00000001,00C4FB68,?), ref: 00C26650
                                                                                                                                                                                                                                                                                                                                                                                • CoUninitialize.OLE32 ref: 00C268D4
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: .lnk
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 886957087-24824748
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 88c116a728eb007deb69544b0e34bf7ea5b9ae516afb6bff508eacfd341d1dcf
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 5889b30ceaf7db09ad68060841de2fefb8e7c6da89519aa232172ac6c7366d3b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 88c116a728eb007deb69544b0e34bf7ea5b9ae516afb6bff508eacfd341d1dcf
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A4D14B715083119FC314EF24C881AABB7E9FF94704F1049ADF5958B2A1EB70EE45CBA2
                                                                                                                                                                                                                                                                                                                                                                                Function 00C322DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetForegroundWindow.USER32(?,?,00000000), ref: 00C322E8
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C2E4EC: GetWindowRect.USER32(?,?), ref: 00C2E504
                                                                                                                                                                                                                                                                                                                                                                                • GetDesktopWindow.USER32 ref: 00C32312
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(00000000), ref: 00C32319
                                                                                                                                                                                                                                                                                                                                                                                • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00C32355
                                                                                                                                                                                                                                                                                                                                                                                • GetCursorPos.USER32(?), ref: 00C32381
                                                                                                                                                                                                                                                                                                                                                                                • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C323DF
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2387181109-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: fcc4bbc3000d46d9e429d2ce58485dd7e25097b9e500c953152150097c3529b4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: de52f876ac869e482c79db9072629c3bb7019d38c8f193441407fce2352bb5df
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fcc4bbc3000d46d9e429d2ce58485dd7e25097b9e500c953152150097c3529b4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8C31ED72505315ABDB60DF14D848B9FBBADFF85310F000919F995D71A1DB34EA08CB92
                                                                                                                                                                                                                                                                                                                                                                                Function 00C29B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD
                                                                                                                                                                                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00C29B78
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00C29C8B
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C23874: GetInputState.USER32 ref: 00C238CB
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C23874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C23966
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00C29BA8
                                                                                                                                                                                                                                                                                                                                                                                • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00C29C75
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: *.*
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1972594611-438819550
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 77452d2f390a32d03cbc0f927d193397cfca9b91638fa112d7fa9cc3dd546b66
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: bb4d88306147fafdcf2bd3da27038d209141ab8a230112827c99411235bdc76e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 77452d2f390a32d03cbc0f927d193397cfca9b91638fa112d7fa9cc3dd546b66
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5D41827190521AAFDF55DF64D885AEEBBF4FF05310F2440AAE815A21A1EB709F84CF60
                                                                                                                                                                                                                                                                                                                                                                                Function 00BC997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BC9BB2
                                                                                                                                                                                                                                                                                                                                                                                • DefDlgProcW.USER32(?,?,?,?,?), ref: 00BC9A4E
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColor.USER32(0000000F), ref: 00BC9B23
                                                                                                                                                                                                                                                                                                                                                                                • SetBkColor.GDI32(?,00000000), ref: 00BC9B36
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Color$LongProcWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3131106179-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: fc992f29306e18c9f29f2be1de05e1764e27955cb962eb2437daa21bef48e63f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 0e3c41a76dce99fa4b631301e37680348d445f5c766a92d4bf0fd087c1883574
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fc992f29306e18c9f29f2be1de05e1764e27955cb962eb2437daa21bef48e63f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CAA10371608454BEF729AB2C8C8DF7F2ADDEB42340F15028DF512D66D1CA26AE01D776
                                                                                                                                                                                                                                                                                                                                                                                Function 00C31806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C3304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C3307A
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C3304E: _wcslen.LIBCMT ref: 00C3309B
                                                                                                                                                                                                                                                                                                                                                                                • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C3185D
                                                                                                                                                                                                                                                                                                                                                                                • WSAGetLastError.WSOCK32 ref: 00C31884
                                                                                                                                                                                                                                                                                                                                                                                • bind.WSOCK32(00000000,?,00000010), ref: 00C318DB
                                                                                                                                                                                                                                                                                                                                                                                • WSAGetLastError.WSOCK32 ref: 00C318E6
                                                                                                                                                                                                                                                                                                                                                                                • closesocket.WSOCK32(00000000), ref: 00C31915
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1601658205-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 269b4dcb92fa6edaa00331c5600f06126d5081d0aaf6da8ca279f432887ad2de
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: bac82ac43ff3fe4e3a92a787e62df03254a4909693df08dac3927c4c434f2c86
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 269b4dcb92fa6edaa00331c5600f06126d5081d0aaf6da8ca279f432887ad2de
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F3519175A10200AFDB10AF24C886F7A77E5AB45718F08809CF9169F3D3CB75AD41CBA1
                                                                                                                                                                                                                                                                                                                                                                                Function 00C41C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 292994002-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 77153c867126b8061f2708500fc78517254164b93ad6f812df39c29e7385cdd6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 7614daaad57a5a8732a6d9985eb144ff5d791a58f6ac8c099848999838dd32a4
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 77153c867126b8061f2708500fc78517254164b93ad6f812df39c29e7385cdd6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F3219F357412115FD7218F2ADCC4B6A7BE5FF85325B1D8068EC9A8B252CB71ED82CB90
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 0-1546025612
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d7890dfb5e8839d0e2c51db041e0c6f0cdacd22af3a98b5b4dc632e9ff060812
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b3fb9401c266dd417fb9d92ee805a338d3ef67587e448d2d47a4d4f817e84a6e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d7890dfb5e8839d0e2c51db041e0c6f0cdacd22af3a98b5b4dc632e9ff060812
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0DA24A70A0061ACBDF24CF58C9907FDB7F5EB54314F2481EAEA16A7285DBB09D85CB90
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00C1AAAC
                                                                                                                                                                                                                                                                                                                                                                                • SetKeyboardState.USER32(00000080), ref: 00C1AAC8
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00C1AB36
                                                                                                                                                                                                                                                                                                                                                                                • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00C1AB88
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 432972143-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d6d5c97741da1b213d3456536508fee9997e99c5145811eb19a81ab7e71eefba
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 041fb51e74a8964fa236968f1266cd26effa6d0890f8c24f7f55c9e8db96d5ff
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d6d5c97741da1b213d3456536508fee9997e99c5145811eb19a81ab7e71eefba
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 28312870A46288AFFB34CA65CC05BFE7BA6AF47310F04821AF091521E1D3758AC1F762
                                                                                                                                                                                                                                                                                                                                                                                Function 00C2CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • InternetReadFile.WININET(?,?,00000400,?), ref: 00C2CE89
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,00000000), ref: 00C2CEEA
                                                                                                                                                                                                                                                                                                                                                                                • SetEvent.KERNEL32(?,?,00000000), ref: 00C2CEFE
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorEventFileInternetLastRead
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 234945975-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 82bd4ea299d9e6f289d5e9c8636bb7d53ad5b6d991805f5af6257aca1cbb1aa7
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 3927a980985595e5e9e9c3ab21e581d856a3da0c09814c70cc37182b4c39b0b5
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 82bd4ea299d9e6f289d5e9c8636bb7d53ad5b6d991805f5af6257aca1cbb1aa7
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A521AFB15007159BDB30DFA5E988BABBBFCEB50358F10441EE556D2561EB70EE048B50
                                                                                                                                                                                                                                                                                                                                                                                Function 00C18298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C182AA
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: lstrlen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: ($|
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1659193697-1631851259
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 51bf61aae895d56d7079f5a7bac7a004aa487c20df309e4bcc000333d45de2ac
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: aa5b4ecc7816819e023a0350bf2bbe48cda2a6ed215016da8a1de94cc14f6d16
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 51bf61aae895d56d7079f5a7bac7a004aa487c20df309e4bcc000333d45de2ac
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0C323874A047059FCB28CF59C081AAAB7F0FF48710B55C56EE5AADB3A1DB70E981DB40
                                                                                                                                                                                                                                                                                                                                                                                Function 00C25C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 00C25CC1
                                                                                                                                                                                                                                                                                                                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00C25D17
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(?), ref: 00C25D5F
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Find$File$CloseFirstNext
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3541575487-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 29cab1ed4ad8b162a033b0818020c92975334966e0bfd74bc775e7187991f42f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: fb1f41bbf40cd54b56a645af3bf6cb5ca1ea7f066aabbb93dded152730c3df9f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 29cab1ed4ad8b162a033b0818020c92975334966e0bfd74bc775e7187991f42f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AC519A74604A019FC714CF28D494EAAB7E4FF49314F14859EE96A8B3A2DB70ED05CF91
                                                                                                                                                                                                                                                                                                                                                                                Function 00BE2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • IsDebuggerPresent.KERNEL32 ref: 00BE271A
                                                                                                                                                                                                                                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00BE2724
                                                                                                                                                                                                                                                                                                                                                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 00BE2731
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3906539128-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 0f07bbc41ecd2fe740f0a5e3fb4a978af965f04439617a44d767ed63f4c0153c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: be6561e46d23e12d17676e07a6283c24984badadaec6a90f7f978fd22adc66dc
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0f07bbc41ecd2fe740f0a5e3fb4a978af965f04439617a44d767ed63f4c0153c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2631B274911218ABCB21DF69DC897DDBBF8BF08310F5041EAE81CA6261E7709F818F45
                                                                                                                                                                                                                                                                                                                                                                                Function 00C251CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SetErrorMode.KERNEL32(00000001), ref: 00C251DA
                                                                                                                                                                                                                                                                                                                                                                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C25238
                                                                                                                                                                                                                                                                                                                                                                                • SetErrorMode.KERNEL32(00000000), ref: 00C252A1
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorMode$DiskFreeSpace
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1682464887-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e958e1ba675297f75f9920452490037a572d4227c361155332559056bfe61257
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 01c166eabc62238f1a020c7f65bd593b72f0c5dad98ff2a6a47ce487902e11f8
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e958e1ba675297f75f9920452490037a572d4227c361155332559056bfe61257
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 99311A75A00518DFDB00DF54D884BAEBBB4FF49314F148099E909AB3A2DB71E955CB90
                                                                                                                                                                                                                                                                                                                                                                                Function 00C116C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BCFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00BD0668
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BCFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00BD0685
                                                                                                                                                                                                                                                                                                                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C1170D
                                                                                                                                                                                                                                                                                                                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C1173A
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00C1174A
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 577356006-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 821bcd7fae91ec2b8d7890a02930f6fe93b8bcb59eb76f9afafb6a9c8ec398e7
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 76fb045778a52e80540d5f410e791556c53ea2da883d136528007ca824c45b54
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 821bcd7fae91ec2b8d7890a02930f6fe93b8bcb59eb76f9afafb6a9c8ec398e7
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6D11CEB2410305AFD718AF54DCC6EAAB7F9FB05714B24856EF46653291EB70BC818A60
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C1D608
                                                                                                                                                                                                                                                                                                                                                                                • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00C1D645
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C1D650
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CloseControlCreateDeviceFileHandle
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 33631002-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 7beb529ef95f39678997048b1da962d680e6082fe214f1eb96c80f92e294a6bd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: fe6cc275fd8ec3c0823991baa0742ed57be63b18dbd8fba567aebbdacc1b8efc
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7beb529ef95f39678997048b1da962d680e6082fe214f1eb96c80f92e294a6bd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FE118E75E01228BFDB208F95DC84FEFBBBCEB46B60F108111F914E7290C2B05A018BA1
                                                                                                                                                                                                                                                                                                                                                                                Function 00C11663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00C1168C
                                                                                                                                                                                                                                                                                                                                                                                • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C116A1
                                                                                                                                                                                                                                                                                                                                                                                • FreeSid.ADVAPI32(?), ref: 00C116B1
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3429775523-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 424416e951ac1cd27fa36583e44c5bbcad241c6ca5fda8fcd175860d4afb9a3b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b9158ec4a41c6a4a75cb0ac4c5d20e1b2db755b14cbdfbe72e695fd8a5c3a22e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 424416e951ac1cd27fa36583e44c5bbcad241c6ca5fda8fcd175860d4afb9a3b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3DF04475A41308FBDB00CFE0CC89AAEBBBCFB08200F004860E900E2190E334AA448A50
                                                                                                                                                                                                                                                                                                                                                                                Function 00BEC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID: /
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 0-2043925204
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ad91ad1f5af0c6cb7a1627070d6b497a4159ab287fae8ee7439c40e1b06ab751
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 17d368b21e3194d2b0f4ad314fd5c5044818a3e1ef8ab26fc489a6c4d14ebcda
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ad91ad1f5af0c6cb7a1627070d6b497a4159ab287fae8ee7439c40e1b06ab751
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 304129765002596FCB249FBACC89EBB7BF8EB84354F1042E9F915D7280E7709D828B54
                                                                                                                                                                                                                                                                                                                                                                                Function 00BDCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: aed7b40f69b28664e3031fe8a2a5c3efcf62623ceea75bad6cb5ce5e230557ab
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C6022D71E0011A9BDF14CFA9C9806ADFBF1EF48314F2582AAD919E7384E731AD45CB84
                                                                                                                                                                                                                                                                                                                                                                                Function 00BBCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID: x$Variable is not of type 'Object'.
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 0-78013578
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: cbb7ad7ca125adaaa506cad607ba25636ef8bc04434f4a1bf133bf5fb2dcdea9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b2e5ab7ae2cf59c6dd8fe709085b0bd8f81fbf516b584e33bc3d67828818eb5a
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cbb7ad7ca125adaaa506cad607ba25636ef8bc04434f4a1bf133bf5fb2dcdea9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7B3247749002189BDF14DF90C895BFDBBF5FF05304F2440A9E816AB292D7B5AE49CB61
                                                                                                                                                                                                                                                                                                                                                                                Function 00C268EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 00C26918
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 00C26961
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2295610775-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 239260eaf503dd15cb0ea456e6483d01d67e550c7320be4730a2f55ae3a23971
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: fe324fbaa950ca6cf01dd9f1195aecfb2c1d764eede6f6049238229004ed36c4
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 239260eaf503dd15cb0ea456e6483d01d67e550c7320be4730a2f55ae3a23971
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5D1190356046109FC710DF2AD485A2ABBE5FF85328F14C699F4698F7A2CB70EC45CBA1
                                                                                                                                                                                                                                                                                                                                                                                Function 00C237B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00C34891,?,?,00000035,?), ref: 00C237E4
                                                                                                                                                                                                                                                                                                                                                                                • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00C34891,?,?,00000035,?), ref: 00C237F4
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorFormatLastMessage
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3479602957-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 8d7f335517b53240d3cb4fefa586eb194504209c9636ccfca9eadbee3315dd36
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e11a23ce7d80de39b42114467fe9e1802691bee1bc7d8437e645e56a76911e57
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8d7f335517b53240d3cb4fefa586eb194504209c9636ccfca9eadbee3315dd36
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D3F0EC746052286BDB6017665C8DFEF3A9DEFC5B61F000165F505D21D1D5A05944C6B0
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00C1B25D
                                                                                                                                                                                                                                                                                                                                                                                • keybd_event.USER32(?,7707C0D0,?,00000000), ref: 00C1B270
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: InputSendkeybd_event
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3536248340-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ee9cd76912904c08c472872cc4e773c2f20e5ecdb836cbba6681a54f2aa5ccfd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 23a58bc829eb006d3e76882d8c8bcf23a7ded2c859cb92ecede1b3ffa1f559be
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ee9cd76912904c08c472872cc4e773c2f20e5ecdb836cbba6681a54f2aa5ccfd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B1F06D7480424EABDB058FA0C805BEE7BB0FF05305F008009F961A51A2C37986059F94
                                                                                                                                                                                                                                                                                                                                                                                Function 00C110BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C111FC), ref: 00C110D4
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,00C111FC), ref: 00C110E9
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 81990902-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ed115ce06c92f4f84d8d4d4e07aa845008e747bb5521ad7f605ea76d41b08de3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1efc9ce4b84ba045d72dc36065d8a2c6313a071e71ce48d477e1bdd02b9f5f33
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ed115ce06c92f4f84d8d4d4e07aa845008e747bb5521ad7f605ea76d41b08de3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 15E04F32005611AEE7252B11FC05FB777E9FB05320B14886DF5A6804B1DB626C90DB10
                                                                                                                                                                                                                                                                                                                                                                                Function 00BE676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00BE6766,?,?,00000008,?,?,00BEFEFE,00000000), ref: 00BE6998
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ExceptionRaise
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3997070919-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: a0f781a3ae65a4293d553ed2fba2cea10a923cbace9ddf12028def2c5314d4ee
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ad28eeff11b98ce35cd0b9c970c89d731711209353838953ab4efad5873f237d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a0f781a3ae65a4293d553ed2fba2cea10a923cbace9ddf12028def2c5314d4ee
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D2B16B35610648DFD719CF29C48AB657BE0FF153A4F25C699E89ACF2A2C335E981CB40
                                                                                                                                                                                                                                                                                                                                                                                Function 00BCB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 0-3916222277
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 06aa025718ef20e7a31950f455dc30920259b0cef196914ea1cb5ef031291230
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b1c28e584a184727e6403c69cd12f26be66c378bb114f8ab961c4dfbfa6832d5
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 06aa025718ef20e7a31950f455dc30920259b0cef196914ea1cb5ef031291230
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FF124F759002299BDB24CF58C881BEEB7F5FF48710F14819AE849EB295DB309E85CF90
                                                                                                                                                                                                                                                                                                                                                                                Function 00C2EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • BlockInput.USER32(00000001), ref: 00C2EABD
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: BlockInput
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3456056419-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: bc5123775933517ad18b995a1a7604cfbe0780abd30eb02b202254ff83ba1e86
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 228c94796f56c712027270858fd6a0fa39a592590dc296380d73c7e657c1be27
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bc5123775933517ad18b995a1a7604cfbe0780abd30eb02b202254ff83ba1e86
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ADE012352102149FC710EF59D454E9ABBE9AF69760F00845AFC49D7251D6B0E8408B91
                                                                                                                                                                                                                                                                                                                                                                                Function 00BD09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00BD03EE), ref: 00BD09DA
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3192549508-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 00b6c5e4cbcc72b81b109f071d99a2c5ce801cf7f5421c57191e0c9937331713
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 8a9dc058d32108de3f7b16ae0f30eba50d98cbf8abaf9784493dd6d8daa9629d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 00b6c5e4cbcc72b81b109f071d99a2c5ce801cf7f5421c57191e0c9937331713
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                                                                                                                                                                Function 00BD781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 0
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 0-4108050209
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e35f7b1dac1c9f016bb0ab6b49f3d39bde6e511407c8a06dfa5064055076acf4
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E25137726CC6456ADB38852A48ADBFEE7D5DB02300F1805CBD886C7382FE1ADE01E355
                                                                                                                                                                                                                                                                                                                                                                                Function 00BE6DD9 Relevance: .6, Instructions: 637COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c55a63223dc1f34b4e98d68fd8ffe293eb184768b7f0c8e63f16c5487e86f5cb
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: cffa514df5c9b916a7003fbcc72b226757e63fd68f6c44a1e92f57e8b4ec84b8
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c55a63223dc1f34b4e98d68fd8ffe293eb184768b7f0c8e63f16c5487e86f5cb
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 67322326D69F414DD7239635D822339A2D9EFB73C6F24C727E81AB5AA5EF29C4C34100
                                                                                                                                                                                                                                                                                                                                                                                Function 00BCCC39 Relevance: .6, Instructions: 635COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 3f06cb89b90d499f15dbd3d84718b088e9f3ba9d4fd4d812b9b3db44aa3942de
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e7a1978babbc8bc9ec4b07f66a929ecca2c577afb561f3ab7ba0d4b8d4bcb59c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3f06cb89b90d499f15dbd3d84718b088e9f3ba9d4fd4d812b9b3db44aa3942de
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3A32F731A041558BDF24CF29C4D4B7E7BE1EB55310F28866AE4AEDB2D2D234DE81EB41
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB7920 Relevance: .6, Instructions: 563COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 2d2dfc3bd7cbefe3f14f273f1a4c62a02367fd2ccb4bfc15c8518154f60f9c34
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 082fbf802f00662479a3b57ce7b6efaf702fe22ea355a22b6c16295a93cb3903
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2d2dfc3bd7cbefe3f14f273f1a4c62a02367fd2ccb4bfc15c8518154f60f9c34
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B822A070A0460A9FDF24CF68C881BFEB7F6FF44300F2045A9E916A7291EB75A955CB50
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB91C0 Relevance: .5, Instructions: 475COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: fc928ef95f9d95aa6196a7ee7fe4d181bb6ff064d934fe0eea2e6697be24d41b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b16bf70c5e16731d38ef8ca5e43f7ce672041dc1c15243fc8d8dc9b2b499c2aa
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fc928ef95f9d95aa6196a7ee7fe4d181bb6ff064d934fe0eea2e6697be24d41b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4202A6B0E0020AEBDB04DF54D881BBDB7F1FF44300F1081A9E9169B2A1E771EA55DB91
                                                                                                                                                                                                                                                                                                                                                                                Function 00BD1C77 Relevance: .3, Instructions: 254COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 36f206a6f367e2b67d14590aa5f5254196108062f89b3184612eebfdf07fe49d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 589147726090A35ADB29463E857407DFFE1DA923A131A0FEFD4F2CA2C5FE149954D620
                                                                                                                                                                                                                                                                                                                                                                                Function 00BD19B0 Relevance: .2, Instructions: 240COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 560e61a9f874e7cffd5bcb729b53e87e1ff9f6ce1ceded687a27fbd9baf5271b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D29144722090A35ADB2D467E857403EFFE1DA923A231A0BDFD4F2CA2C5FE24D555D620
                                                                                                                                                                                                                                                                                                                                                                                Function 00BD7A4A Relevance: .2, Instructions: 237COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 9062b0d2752ccbb66c243f8a1b01049a63cf6cd46d15330e6ed11371c627022a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ddf09ff4f9e81d4b76653066efa67ede707619602b5f3438e6c2b2ffe8d0a1f8
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9062b0d2752ccbb66c243f8a1b01049a63cf6cd46d15330e6ed11371c627022a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 766148712D870A56DA389A288DB6BFEE3D4DF41700F1409DBE846DB381FE159E428359
                                                                                                                                                                                                                                                                                                                                                                                Function 00BD7CA7 Relevance: .2, Instructions: 237COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d49c05de0f89dda46275b61a2c70282b3872f710f8d32701bd0ca9f2ad3f0c14
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 26f0095acba632e371734e654046a66a28f24172473c1e54d180463baf9309f2
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d49c05de0f89dda46275b61a2c70282b3872f710f8d32701bd0ca9f2ad3f0c14
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F76129A16C870957DA389A288895BFEE3DADF41704F1409FBE943DB381FE11ED428355
                                                                                                                                                                                                                                                                                                                                                                                Function 00BD1706 Relevance: .2, Instructions: 232COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e0e677061e122147865a818d035b1a2e76fc8f12284a124fba163da82efa0297
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5E8166726090A319DB6D867D857443EFFE19A923A131A0BDFD4F2CA2D1FE248954E620
                                                                                                                                                                                                                                                                                                                                                                                Function 00C22046 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c2297c628d5ad7fb5cd13e84f000604ba9aa5ebb4324e1ed8a552b9e77311304
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: fc9f6930b333595804f6b8bc37487cfc6eb64ab3915610a294fbaea270ac9a05
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c2297c628d5ad7fb5cd13e84f000604ba9aa5ebb4324e1ed8a552b9e77311304
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D121A5326206218BDB28CE79C82677E73E5A754310F25862EE4A7C77D0DE35A904CB84
                                                                                                                                                                                                                                                                                                                                                                                Function 00C470D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SetTextColor.GDI32(?,00000000), ref: 00C4712F
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 00C47160
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColor.USER32(0000000F), ref: 00C4716C
                                                                                                                                                                                                                                                                                                                                                                                • SetBkColor.GDI32(?,000000FF), ref: 00C47186
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(?,?), ref: 00C47195
                                                                                                                                                                                                                                                                                                                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 00C471C0
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColor.USER32(00000010), ref: 00C471C8
                                                                                                                                                                                                                                                                                                                                                                                • CreateSolidBrush.GDI32(00000000), ref: 00C471CF
                                                                                                                                                                                                                                                                                                                                                                                • FrameRect.USER32(?,?,00000000), ref: 00C471DE
                                                                                                                                                                                                                                                                                                                                                                                • DeleteObject.GDI32(00000000), ref: 00C471E5
                                                                                                                                                                                                                                                                                                                                                                                • InflateRect.USER32(?,000000FE,000000FE), ref: 00C47230
                                                                                                                                                                                                                                                                                                                                                                                • FillRect.USER32(?,?,?), ref: 00C47262
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00C47284
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C473E8: GetSysColor.USER32(00000012), ref: 00C47421
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C473E8: SetTextColor.GDI32(?,?), ref: 00C47425
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C473E8: GetSysColorBrush.USER32(0000000F), ref: 00C4743B
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C473E8: GetSysColor.USER32(0000000F), ref: 00C47446
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C473E8: GetSysColor.USER32(00000011), ref: 00C47463
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C473E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C47471
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C473E8: SelectObject.GDI32(?,00000000), ref: 00C47482
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C473E8: SetBkColor.GDI32(?,00000000), ref: 00C4748B
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C473E8: SelectObject.GDI32(?,?), ref: 00C47498
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C473E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00C474B7
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C473E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C474CE
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C473E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00C474DB
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4124339563-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 66f9fe67b7216f0e3a175943bcd41b6327b86b781c20d9e6b1d9ae565bd9a761
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: a139c6bdccef6f4a2100ff6fa6726345efb4818b965bf1d7504f127694d8e68c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 66f9fe67b7216f0e3a175943bcd41b6327b86b781c20d9e6b1d9ae565bd9a761
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 87A17C76009301EFDB509F60DC88B6F7BA9FB8A320F100B19F962A61B1D771E944DB91
                                                                                                                                                                                                                                                                                                                                                                                Function 00BC8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • DestroyWindow.USER32(?,?), ref: 00BC8E14
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001308,?,00000000), ref: 00C06AC5
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00C06AFE
                                                                                                                                                                                                                                                                                                                                                                                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C06F43
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BC8BE8,?,00000000,?,?,?,?,00BC8BBA,00000000,?), ref: 00BC8FC5
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001053), ref: 00C06F7F
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C06F96
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_Destroy.COMCTL32(00000000,?), ref: 00C06FAC
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_Destroy.COMCTL32(00000000,?), ref: 00C06FB7
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 0
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2760611726-4108050209
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 82fcc3e93e2b305d0b4924d29d962ff32174740dfedd50a37806a010e9972e0e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: d5d163233f84ee51da57e43b671628563d01cf46dc644352380339c511bdeae5
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 82fcc3e93e2b305d0b4924d29d962ff32174740dfedd50a37806a010e9972e0e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FD129E34601212EFDB25CF24C894BA9B7F5FB45310F1844ADF4A58B2A2CB31ED62DB91
                                                                                                                                                                                                                                                                                                                                                                                Function 00C32711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • DestroyWindow.USER32(00000000), ref: 00C3273E
                                                                                                                                                                                                                                                                                                                                                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C3286A
                                                                                                                                                                                                                                                                                                                                                                                • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00C328A9
                                                                                                                                                                                                                                                                                                                                                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00C328B9
                                                                                                                                                                                                                                                                                                                                                                                • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00C32900
                                                                                                                                                                                                                                                                                                                                                                                • GetClientRect.USER32(00000000,?), ref: 00C3290C
                                                                                                                                                                                                                                                                                                                                                                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00C32955
                                                                                                                                                                                                                                                                                                                                                                                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C32964
                                                                                                                                                                                                                                                                                                                                                                                • GetStockObject.GDI32(00000011), ref: 00C32974
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00C32978
                                                                                                                                                                                                                                                                                                                                                                                • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00C32988
                                                                                                                                                                                                                                                                                                                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C32991
                                                                                                                                                                                                                                                                                                                                                                                • DeleteDC.GDI32(00000000), ref: 00C3299A
                                                                                                                                                                                                                                                                                                                                                                                • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C329C6
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000030,00000000,00000001), ref: 00C329DD
                                                                                                                                                                                                                                                                                                                                                                                • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00C32A1D
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C32A31
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000404,00000001,00000000), ref: 00C32A42
                                                                                                                                                                                                                                                                                                                                                                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00C32A77
                                                                                                                                                                                                                                                                                                                                                                                • GetStockObject.GDI32(00000011), ref: 00C32A82
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C32A8D
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00C32A97
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                                                                                                                                                                                                                                                                                • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2910397461-517079104
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 0c80a60b038bfc82cd3168135eb5d6a40c44b582b43fd84d6baec81ac036cf80
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 65875e0a790a4aca6d1ea90ca4473ec56aeea7557675546545aea0c67b1e3cc3
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0c80a60b038bfc82cd3168135eb5d6a40c44b582b43fd84d6baec81ac036cf80
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E2B17E75A10215AFEB14DF68CC85FAE7BA9FB09710F008554F915E72A0D770ED00CBA4
                                                                                                                                                                                                                                                                                                                                                                                Function 00C24ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SetErrorMode.KERNEL32(00000001), ref: 00C24AED
                                                                                                                                                                                                                                                                                                                                                                                • GetDriveTypeW.KERNEL32(?,00C4CB68,?,\\.\,00C4CC08), ref: 00C24BCA
                                                                                                                                                                                                                                                                                                                                                                                • SetErrorMode.KERNEL32(00000000,00C4CB68,?,\\.\,00C4CC08), ref: 00C24D36
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorMode$DriveType
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2907320926-4222207086
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 2a785af1842c5a516483aa561910be9f813521d610c9951737d08b63265ccd0b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f465a26780d699d09dd7f587535a9799851b9796f3a32258a0dc2b9487dbdda1
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2a785af1842c5a516483aa561910be9f813521d610c9951737d08b63265ccd0b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F261C330605616DBCB1DDF2DEA82DBD77A0EB14340B248466F80AABA92DB71DE41DB41
                                                                                                                                                                                                                                                                                                                                                                                Function 00C473E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColor.USER32(00000012), ref: 00C47421
                                                                                                                                                                                                                                                                                                                                                                                • SetTextColor.GDI32(?,?), ref: 00C47425
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 00C4743B
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColor.USER32(0000000F), ref: 00C47446
                                                                                                                                                                                                                                                                                                                                                                                • CreateSolidBrush.GDI32(?), ref: 00C4744B
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColor.USER32(00000011), ref: 00C47463
                                                                                                                                                                                                                                                                                                                                                                                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C47471
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(?,00000000), ref: 00C47482
                                                                                                                                                                                                                                                                                                                                                                                • SetBkColor.GDI32(?,00000000), ref: 00C4748B
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(?,?), ref: 00C47498
                                                                                                                                                                                                                                                                                                                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 00C474B7
                                                                                                                                                                                                                                                                                                                                                                                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C474CE
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 00C474DB
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C4752A
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00C47554
                                                                                                                                                                                                                                                                                                                                                                                • InflateRect.USER32(?,000000FD,000000FD), ref: 00C47572
                                                                                                                                                                                                                                                                                                                                                                                • DrawFocusRect.USER32(?,?), ref: 00C4757D
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColor.USER32(00000011), ref: 00C4758E
                                                                                                                                                                                                                                                                                                                                                                                • SetTextColor.GDI32(?,00000000), ref: 00C47596
                                                                                                                                                                                                                                                                                                                                                                                • DrawTextW.USER32(?,00C470F5,000000FF,?,00000000), ref: 00C475A8
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(?,?), ref: 00C475BF
                                                                                                                                                                                                                                                                                                                                                                                • DeleteObject.GDI32(?), ref: 00C475CA
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(?,?), ref: 00C475D0
                                                                                                                                                                                                                                                                                                                                                                                • DeleteObject.GDI32(?), ref: 00C475D5
                                                                                                                                                                                                                                                                                                                                                                                • SetTextColor.GDI32(?,?), ref: 00C475DB
                                                                                                                                                                                                                                                                                                                                                                                • SetBkColor.GDI32(?,?), ref: 00C475E5
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1996641542-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: fa69dd5e356d45c4dbf4b5abdc30e3777981f82d2267ecf16c780f6fc3909dd5
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 2117c526760f7288654135af705afc6a142b2a8926615702f2702a9c74c64dbc
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fa69dd5e356d45c4dbf4b5abdc30e3777981f82d2267ecf16c780f6fc3909dd5
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A9616976901218AFDB019FA4DC89BAEBFB9FB09320F114215F915BB2A1D7749A40DF90
                                                                                                                                                                                                                                                                                                                                                                                Function 00C40FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetCursorPos.USER32(?), ref: 00C41128
                                                                                                                                                                                                                                                                                                                                                                                • GetDesktopWindow.USER32 ref: 00C4113D
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(00000000), ref: 00C41144
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00C41199
                                                                                                                                                                                                                                                                                                                                                                                • DestroyWindow.USER32(?), ref: 00C411B9
                                                                                                                                                                                                                                                                                                                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00C411ED
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C4120B
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C4121D
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000421,?,?), ref: 00C41232
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00C41245
                                                                                                                                                                                                                                                                                                                                                                                • IsWindowVisible.USER32(00000000), ref: 00C412A1
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00C412BC
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00C412D0
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(00000000,?), ref: 00C412E8
                                                                                                                                                                                                                                                                                                                                                                                • MonitorFromPoint.USER32(?,?,00000002), ref: 00C4130E
                                                                                                                                                                                                                                                                                                                                                                                • GetMonitorInfoW.USER32(00000000,?), ref: 00C41328
                                                                                                                                                                                                                                                                                                                                                                                • CopyRect.USER32(?,?), ref: 00C4133F
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000412,00000000), ref: 00C413AA
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                                                                                                                                                                                                                                                                                • String ID: ($0$tooltips_class32
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 698492251-4156429822
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d9f1ca9782618ca9b4bfef95214b923b4534766dfd0e03c5925438e3b3bda1cb
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 8f601213a2e4952ac4eb6234262d0114c615f4322605b2fce315753214d5f600
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d9f1ca9782618ca9b4bfef95214b923b4534766dfd0e03c5925438e3b3bda1cb
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 43B19C71604341AFD714DF64C884BAEBBE4FF85350F04895CF9999B2A1CB71E984CB92
                                                                                                                                                                                                                                                                                                                                                                                Function 00C40241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CharUpperBuffW.USER32(?,?), ref: 00C402E5
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C4031F
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C40389
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C403F1
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C40475
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00C404C5
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C40504
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BCF9F2: _wcslen.LIBCMT ref: 00BCF9FD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C12258
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C1228A
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                                                                                                                                                                                                                                                                                                • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1103490817-719923060
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 5b12e7492ad2a0d53e6a663e815466297c0659d303a43db8147daaa7c1a243dd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: cd358c0252d54d86c130dc09c49cb778d41aef87165dbe3524161b3618badb90
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5b12e7492ad2a0d53e6a663e815466297c0659d303a43db8147daaa7c1a243dd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5FE1B2312582018FCB24DF24C45197AB7E6FF98314F248A9CF9A69B3A1DB70EE45CB41
                                                                                                                                                                                                                                                                                                                                                                                Function 00BC8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BC8968
                                                                                                                                                                                                                                                                                                                                                                                • GetSystemMetrics.USER32(00000007), ref: 00BC8970
                                                                                                                                                                                                                                                                                                                                                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BC899B
                                                                                                                                                                                                                                                                                                                                                                                • GetSystemMetrics.USER32(00000008), ref: 00BC89A3
                                                                                                                                                                                                                                                                                                                                                                                • GetSystemMetrics.USER32(00000004), ref: 00BC89C8
                                                                                                                                                                                                                                                                                                                                                                                • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00BC89E5
                                                                                                                                                                                                                                                                                                                                                                                • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00BC89F5
                                                                                                                                                                                                                                                                                                                                                                                • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00BC8A28
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00BC8A3C
                                                                                                                                                                                                                                                                                                                                                                                • GetClientRect.USER32(00000000,000000FF), ref: 00BC8A5A
                                                                                                                                                                                                                                                                                                                                                                                • GetStockObject.GDI32(00000011), ref: 00BC8A76
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 00BC8A81
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC912D: GetCursorPos.USER32(?), ref: 00BC9141
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC912D: ScreenToClient.USER32(00000000,?), ref: 00BC915E
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC912D: GetAsyncKeyState.USER32(00000001), ref: 00BC9183
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC912D: GetAsyncKeyState.USER32(00000002), ref: 00BC919D
                                                                                                                                                                                                                                                                                                                                                                                • SetTimer.USER32(00000000,00000000,00000028,00BC90FC), ref: 00BC8AA8
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                                                                                                                                                                                                                                                                                • String ID: AutoIt v3 GUI
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1458621304-248962490
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: dd46b85f5dbaa0d428dd2ae1acddae2f0e840b72b11f5150ccf13b4a7cf7abc1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: faf93f4588e04ade0000172cc2796f8f0a0b98a295d4ad7ec296af9bcdd8fbff
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dd46b85f5dbaa0d428dd2ae1acddae2f0e840b72b11f5150ccf13b4a7cf7abc1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4BB19A35A0020AAFDB14DFA8CC85FAE3BF5FB48314F054269FA15A72E0CB74A941CB54
                                                                                                                                                                                                                                                                                                                                                                                Function 00C10D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C11114
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C10B9B,?,?,?), ref: 00C11120
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C10B9B,?,?,?), ref: 00C1112F
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C10B9B,?,?,?), ref: 00C11136
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C1114D
                                                                                                                                                                                                                                                                                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C10DF5
                                                                                                                                                                                                                                                                                                                                                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C10E29
                                                                                                                                                                                                                                                                                                                                                                                • GetLengthSid.ADVAPI32(?), ref: 00C10E40
                                                                                                                                                                                                                                                                                                                                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 00C10E7A
                                                                                                                                                                                                                                                                                                                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C10E96
                                                                                                                                                                                                                                                                                                                                                                                • GetLengthSid.ADVAPI32(?), ref: 00C10EAD
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C10EB5
                                                                                                                                                                                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000), ref: 00C10EBC
                                                                                                                                                                                                                                                                                                                                                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C10EDD
                                                                                                                                                                                                                                                                                                                                                                                • CopySid.ADVAPI32(00000000), ref: 00C10EE4
                                                                                                                                                                                                                                                                                                                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C10F13
                                                                                                                                                                                                                                                                                                                                                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C10F35
                                                                                                                                                                                                                                                                                                                                                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C10F47
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C10F6E
                                                                                                                                                                                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 00C10F75
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C10F7E
                                                                                                                                                                                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 00C10F85
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C10F8E
                                                                                                                                                                                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 00C10F95
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00C10FA1
                                                                                                                                                                                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 00C10FA8
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C11193: GetProcessHeap.KERNEL32(00000008,00C10BB1,?,00000000,?,00C10BB1,?), ref: 00C111A1
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C11193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C10BB1,?), ref: 00C111A8
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C11193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C10BB1,?), ref: 00C111B7
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4175595110-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 371a79236ce11e8cebcafa1b4109cb20d052396a733bac1aefe706e723fe5e49
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: bdb91fd0ece923e353f30c776bf23b34ceebe0c726c00969c467a774f8653747
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 371a79236ce11e8cebcafa1b4109cb20d052396a733bac1aefe706e723fe5e49
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 01718D7290120AEBDF20DFA5DC45FEEBBB8BF06300F144115F929A61A1D7709A96DB60
                                                                                                                                                                                                                                                                                                                                                                                Function 00C3C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C3C4BD
                                                                                                                                                                                                                                                                                                                                                                                • RegCreateKeyExW.ADVAPI32(?,?,00000000,00C4CC08,00000000,?,00000000,?,?), ref: 00C3C544
                                                                                                                                                                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00C3C5A4
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C3C5F4
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C3C66F
                                                                                                                                                                                                                                                                                                                                                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00C3C6B2
                                                                                                                                                                                                                                                                                                                                                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00C3C7C1
                                                                                                                                                                                                                                                                                                                                                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00C3C84D
                                                                                                                                                                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 00C3C881
                                                                                                                                                                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 00C3C88E
                                                                                                                                                                                                                                                                                                                                                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00C3C960
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                                                                                                                                                                                                                                                                                                                                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 9721498-966354055
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f549971408f852c7b9d0481455ba1fd25efec722de21f4cc84faca3405d109e1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ba8857265aabc14cca2b0eedeec45929927d69624059751e628151a02bda1e07
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f549971408f852c7b9d0481455ba1fd25efec722de21f4cc84faca3405d109e1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0C1257356142019FC714DF24C891B6EB7E5EF88714F04889DF89AAB3A2DB71ED41CB91
                                                                                                                                                                                                                                                                                                                                                                                Function 00C4091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CharUpperBuffW.USER32(?,?), ref: 00C409C6
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C40A01
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C40A54
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C40A8A
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C40B06
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C40B81
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BCF9F2: _wcslen.LIBCMT ref: 00BCF9FD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C12BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C12BFA
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                                                                                                                                                                                                                                                                                                • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1103490817-4258414348
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 29b8257d83880e14f21f8f33c080143d80856ac77b1afd23f6a3c706fc2f9bae
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: dbd83d17cfeb989098d38a7c253a380507c21dee3ea507b1b8dc94a7ce19a7aa
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 29b8257d83880e14f21f8f33c080143d80856ac77b1afd23f6a3c706fc2f9bae
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C5E1C1356483018FCB14DF25C49196AB7E1FF98314F24899DF9AA9B362DB30EE45CB81
                                                                                                                                                                                                                                                                                                                                                                                Function 00C3C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen$BuffCharUpper
                                                                                                                                                                                                                                                                                                                                                                                • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1256254125-909552448
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 664de6b702f05e2209dc29571b4ccd80b96d3e9c2926b86e678ee494fc10ff68
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1daafbd718498d7ed87725a6c12ba1a3efcc4823fda2eb7c4f1834930a182886
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 664de6b702f05e2209dc29571b4ccd80b96d3e9c2926b86e678ee494fc10ff68
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AC71F23262012A8BCF20DE7DCDD16BE7391AF60754F254268F876B7284EA35CE45D3A0
                                                                                                                                                                                                                                                                                                                                                                                Function 00C4833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C4835A
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C4836E
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C48391
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C483B4
                                                                                                                                                                                                                                                                                                                                                                                • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00C483F2
                                                                                                                                                                                                                                                                                                                                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00C45BF2), ref: 00C4844E
                                                                                                                                                                                                                                                                                                                                                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C48487
                                                                                                                                                                                                                                                                                                                                                                                • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00C484CA
                                                                                                                                                                                                                                                                                                                                                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C48501
                                                                                                                                                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(?), ref: 00C4850D
                                                                                                                                                                                                                                                                                                                                                                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C4851D
                                                                                                                                                                                                                                                                                                                                                                                • DestroyIcon.USER32(?,?,?,?,?,00C45BF2), ref: 00C4852C
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00C48549
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00C48555
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                                                                                                                                                                                                                                                                                                                                • String ID: .dll$.exe$.icl
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 799131459-1154884017
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 4fa58594075bad529c4aea6a40f6e67d0375887318bb0bcd4ad2be881970884f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b2fb1f500851375796ed3fe4c4bacdeff48af3413e7db07d67b305ed5a426bc2
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4fa58594075bad529c4aea6a40f6e67d0375887318bb0bcd4ad2be881970884f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1061E271900215BFEB14DF64CC81BBE77A8FB04711F10465AF925D61E1EBB4AA84DBA0
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 0-1645009161
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ba7695bd77090ef91f0ba393acc1787e39e4ae8696d65fefafdf4e33bfbe3c82
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 4968c57c43612a06677c9059058bae2d459398eab6c32e341911fe6d1f7ee8fe
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ba7695bd77090ef91f0ba393acc1787e39e4ae8696d65fefafdf4e33bfbe3c82
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F081C271A44609BBDB20AF61CC82FFE77E9EF55300F0440A5FA05AB192EFB0DA15D691
                                                                                                                                                                                                                                                                                                                                                                                Function 00C15A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • LoadIconW.USER32(00000063), ref: 00C15A2E
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C15A40
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowTextW.USER32(?,?), ref: 00C15A57
                                                                                                                                                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,000003EA), ref: 00C15A6C
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowTextW.USER32(00000000,?), ref: 00C15A72
                                                                                                                                                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 00C15A82
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowTextW.USER32(00000000,?), ref: 00C15A88
                                                                                                                                                                                                                                                                                                                                                                                • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C15AA9
                                                                                                                                                                                                                                                                                                                                                                                • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C15AC3
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 00C15ACC
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C15B33
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowTextW.USER32(?,?), ref: 00C15B6F
                                                                                                                                                                                                                                                                                                                                                                                • GetDesktopWindow.USER32 ref: 00C15B75
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(00000000), ref: 00C15B7C
                                                                                                                                                                                                                                                                                                                                                                                • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00C15BD3
                                                                                                                                                                                                                                                                                                                                                                                • GetClientRect.USER32(?,?), ref: 00C15BE0
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000005,00000000,?), ref: 00C15C05
                                                                                                                                                                                                                                                                                                                                                                                • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C15C2F
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 895679908-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f39833fbbf5d38de134c04250c3f854863bc48be9bd51e5759fe04fad6cd4478
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f514d1e8e68f93e4f4fe627fa11589620df965c6b725ecf7d2eccf7b648ff167
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f39833fbbf5d38de134c04250c3f854863bc48be9bd51e5759fe04fad6cd4478
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6A719D31900B09EFDB20DFA9CE85BAEBBF5FF89704F104518E552A25A0D775EA80DB50
                                                                                                                                                                                                                                                                                                                                                                                Function 00BD00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00BD00C6
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BD00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00C8070C,00000FA0,002073D3,?,?,?,?,00BF23B3,000000FF), ref: 00BD011C
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BD00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00BF23B3,000000FF), ref: 00BD0127
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BD00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00BF23B3,000000FF), ref: 00BD0138
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BD00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00BD014E
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BD00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00BD015C
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BD00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00BD016A
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BD00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BD0195
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BD00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BD01A0
                                                                                                                                                                                                                                                                                                                                                                                • ___scrt_fastfail.LIBCMT ref: 00BD00E7
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BD00A3: __onexit.LIBCMT ref: 00BD00A9
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                • kernel32.dll, xrefs: 00BD0133
                                                                                                                                                                                                                                                                                                                                                                                • InitializeConditionVariable, xrefs: 00BD0148
                                                                                                                                                                                                                                                                                                                                                                                • WakeAllConditionVariable, xrefs: 00BD0162
                                                                                                                                                                                                                                                                                                                                                                                • SleepConditionVariableCS, xrefs: 00BD0154
                                                                                                                                                                                                                                                                                                                                                                                • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00BD0122
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                                                                                                                                                                                                                                                                                                                                • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 66158676-1714406822
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c37dae9600c454d535e07c1b3b7627b22320c7bb8d523a87e4f745feed45fef2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 537698f39c91d9acee3bae37109d27fd7f0c1ab6f473d2a0f38f8aa36ee294c5
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c37dae9600c454d535e07c1b3b7627b22320c7bb8d523a87e4f745feed45fef2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D421C636A557116BE7517FA4AC45B6EB7D4FF05B61F1001BEF801A33A1EF7498008A94
                                                                                                                                                                                                                                                                                                                                                                                Function 00C130F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 176396367-1603158881
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 06601d1bac018c8e7fdadd0fda69c58c07d523b92f84a21a476c362b9a8fd513
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 2c6f434de6dc02e02652f68bc444a964bd800f53c4cb0fbe0cb9440ef73dc2ee
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 06601d1bac018c8e7fdadd0fda69c58c07d523b92f84a21a476c362b9a8fd513
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 63E13531A00556ABCF149FA8C8416FDFBB5BF05714F64816AE466F3240DB70AFC5A790
                                                                                                                                                                                                                                                                                                                                                                                Function 00C244C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CharLowerBuffW.USER32(00000000,00000000,00C4CC08), ref: 00C24527
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C2453B
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C24599
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C245F4
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C2463F
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C246A7
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BCF9F2: _wcslen.LIBCMT ref: 00BCF9FD
                                                                                                                                                                                                                                                                                                                                                                                • GetDriveTypeW.KERNEL32(?,00C76BF0,00000061), ref: 00C24743
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen$BuffCharDriveLowerType
                                                                                                                                                                                                                                                                                                                                                                                • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2055661098-1000479233
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 37d07b96f97b4c94e0f4c738fdb28749fbc648fdac216e88b4f34bbb8773bb3a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 5fad1606df2d2f4fd35789fb4a76976bcab87b9ac41ed3d0b2bf18e20cbea796
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 37d07b96f97b4c94e0f4c738fdb28749fbc648fdac216e88b4f34bbb8773bb3a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0CB123316083229FC718DF28E890A7EB7E5BFA5720F50492DF4A6C7691EB70D944CB52
                                                                                                                                                                                                                                                                                                                                                                                Function 00C4911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BC9BB2
                                                                                                                                                                                                                                                                                                                                                                                • DragQueryPoint.SHELL32(?,?), ref: 00C49147
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C47674: ClientToScreen.USER32(?,?), ref: 00C4769A
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C47674: GetWindowRect.USER32(?,?), ref: 00C47710
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C47674: PtInRect.USER32(?,?,00C48B89), ref: 00C47720
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 00C491B0
                                                                                                                                                                                                                                                                                                                                                                                • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C491BB
                                                                                                                                                                                                                                                                                                                                                                                • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00C491DE
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C49225
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 00C4923E
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 00C49255
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 00C49277
                                                                                                                                                                                                                                                                                                                                                                                • DragFinish.SHELL32(?), ref: 00C4927E
                                                                                                                                                                                                                                                                                                                                                                                • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00C49371
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: x$@GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 221274066-1251506578
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ccf0c0f44623533c08ae2165406ad1042e678de80beb3296ad45f90c7886504a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ac7f8c4f97dc20ae7de45240d4ea8d49ef32845bcdf9d18dec8f626a40fa6c47
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ccf0c0f44623533c08ae2165406ad1042e678de80beb3296ad45f90c7886504a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0D615871108301AFD701EF64DC85EAFBBE8FF89750F000A6EF995921A1DB709A49CB52
                                                                                                                                                                                                                                                                                                                                                                                Function 00BEDA5D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • ___free_lconv_mon.LIBCMT ref: 00BEDAA1
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED659
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED66B
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED67D
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED68F
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED6A1
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED6B3
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED6C5
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED6D7
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED6E9
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED6FB
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED70D
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED71F
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED731
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BEDA96
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BED7D1,00000000,00000000,00000000,00000000,?,00BED7F8,00000000,00000007,00000000,?,00BEDBF5,00000000), ref: 00BE29DE
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BE29C8: GetLastError.KERNEL32(00000000,?,00BED7D1,00000000,00000000,00000000,00000000,?,00BED7F8,00000000,00000007,00000000,?,00BEDBF5,00000000,00000000), ref: 00BE29F0
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BEDAB8
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BEDACD
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BEDAD8
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BEDAFA
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BEDB0D
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BEDB1B
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BEDB26
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BEDB5E
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BEDB65
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BEDB82
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BEDB9A
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                                                                                                                                                                • String ID: `,
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 161543041-3251075597
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 5b3aa79cc4b3863f9b067431ee4bbdf89fe4459d0c9bf07f25abe7bea9ed0e25
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 84f3fdd4c70db89c60fdef8103cd04cf74462d17195a338fad42ddc864a4b027
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5b3aa79cc4b3863f9b067431ee4bbdf89fe4459d0c9bf07f25abe7bea9ed0e25
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 16318F356043899FEB21AB3AE846B5A77E8FF00310F1154B9E458D7292EFB9ED40C720
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemCount.USER32(00C81990), ref: 00BF2F8D
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemCount.USER32(00C81990), ref: 00BF303D
                                                                                                                                                                                                                                                                                                                                                                                • GetCursorPos.USER32(?), ref: 00BF3081
                                                                                                                                                                                                                                                                                                                                                                                • SetForegroundWindow.USER32(00000000), ref: 00BF308A
                                                                                                                                                                                                                                                                                                                                                                                • TrackPopupMenuEx.USER32(00C81990,00000000,?,00000000,00000000,00000000), ref: 00BF309D
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00BF30A9
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 0
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 36266755-4108050209
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 3121164803a08efbb358dcbf085c147009e17a063b11dd356f7d2f804296fe76
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: a84dda197679b25a2ef276120827421d20fac5da6ffe87faccd5e98050f025a1
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3121164803a08efbb358dcbf085c147009e17a063b11dd356f7d2f804296fe76
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0C71E170640209BBEB218B64CC89FFEBFE4FB05724F204256F614AA1E0C7B1AD54DB90
                                                                                                                                                                                                                                                                                                                                                                                Function 00C46CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • DestroyWindow.USER32(00000000,?), ref: 00C46DEB
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB6B57: _wcslen.LIBCMT ref: 00BB6B6A
                                                                                                                                                                                                                                                                                                                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00C46E5F
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00C46E81
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C46E94
                                                                                                                                                                                                                                                                                                                                                                                • DestroyWindow.USER32(?), ref: 00C46EB5
                                                                                                                                                                                                                                                                                                                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00BB0000,00000000), ref: 00C46EE4
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C46EFD
                                                                                                                                                                                                                                                                                                                                                                                • GetDesktopWindow.USER32 ref: 00C46F16
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(00000000), ref: 00C46F1D
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C46F35
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00C46F4D
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC9944: GetWindowLongW.USER32(?,000000EB), ref: 00BC9952
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 0$tooltips_class32
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2429346358-3619404913
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c0306186b51d34707028d90adae6412fa3df236b142ee8c884b517fa356771e8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: dd6d50d53e0c3d8c91bd3bd89fe103e40865578465b3d8ac27a1ed306abbd2c3
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c0306186b51d34707028d90adae6412fa3df236b142ee8c884b517fa356771e8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3B715B74104344AFEB21CF58DC84FAABBF9FB8A314F04451DF99987261C771A90ACB16
                                                                                                                                                                                                                                                                                                                                                                                Function 00C2C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C2C4B0
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C2C4C3
                                                                                                                                                                                                                                                                                                                                                                                • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C2C4D7
                                                                                                                                                                                                                                                                                                                                                                                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C2C4F0
                                                                                                                                                                                                                                                                                                                                                                                • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00C2C533
                                                                                                                                                                                                                                                                                                                                                                                • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C2C549
                                                                                                                                                                                                                                                                                                                                                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C2C554
                                                                                                                                                                                                                                                                                                                                                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C2C584
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C2C5DC
                                                                                                                                                                                                                                                                                                                                                                                • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C2C5F0
                                                                                                                                                                                                                                                                                                                                                                                • InternetCloseHandle.WININET(00000000), ref: 00C2C5FB
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3800310941-3916222277
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d886bd482593adf8040eaed44513c6e59ec194c2f3984ab5c88e426a8fa81a6e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 064210657d8f1c3797aebaebe71fd11069c6f6822bbde7eb354e2da459d3a094
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d886bd482593adf8040eaed44513c6e59ec194c2f3984ab5c88e426a8fa81a6e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B4515AB4501618BFDB219F61D9C8BAF7BFCFF09344F004429F95696A20DB74EA04AB60
                                                                                                                                                                                                                                                                                                                                                                                Function 00C4856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00C48592
                                                                                                                                                                                                                                                                                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C485A2
                                                                                                                                                                                                                                                                                                                                                                                • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C485AD
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C485BA
                                                                                                                                                                                                                                                                                                                                                                                • GlobalLock.KERNEL32(00000000), ref: 00C485C8
                                                                                                                                                                                                                                                                                                                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C485D7
                                                                                                                                                                                                                                                                                                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00C485E0
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C485E7
                                                                                                                                                                                                                                                                                                                                                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C485F8
                                                                                                                                                                                                                                                                                                                                                                                • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00C4FC38,?), ref: 00C48611
                                                                                                                                                                                                                                                                                                                                                                                • GlobalFree.KERNEL32(00000000), ref: 00C48621
                                                                                                                                                                                                                                                                                                                                                                                • GetObjectW.GDI32(?,00000018,?), ref: 00C48641
                                                                                                                                                                                                                                                                                                                                                                                • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00C48671
                                                                                                                                                                                                                                                                                                                                                                                • DeleteObject.GDI32(?), ref: 00C48699
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00C486AF
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3840717409-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 99e18a0a59bdd1485646632346f61405a9b158613a3447d66137b1d5d12f7a8a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b44e9c6a7f9ae7744e81b3133143e884e682a71bff3c4511d3581d7a60bad188
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 99e18a0a59bdd1485646632346f61405a9b158613a3447d66137b1d5d12f7a8a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FC413C75601204AFDB619FA5CC88FAE7BB8FF8A711F104059F915E7260DB709E05DB20
                                                                                                                                                                                                                                                                                                                                                                                Function 00C214BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • VariantInit.OLEAUT32(00000000), ref: 00C21502
                                                                                                                                                                                                                                                                                                                                                                                • VariantCopy.OLEAUT32(?,?), ref: 00C2150B
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32(?), ref: 00C21517
                                                                                                                                                                                                                                                                                                                                                                                • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00C215FB
                                                                                                                                                                                                                                                                                                                                                                                • VarR8FromDec.OLEAUT32(?,?), ref: 00C21657
                                                                                                                                                                                                                                                                                                                                                                                • VariantInit.OLEAUT32(?), ref: 00C21708
                                                                                                                                                                                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 00C2178C
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32(?), ref: 00C217D8
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32(?), ref: 00C217E7
                                                                                                                                                                                                                                                                                                                                                                                • VariantInit.OLEAUT32(00000000), ref: 00C21823
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                                                                                                                                                                                                                                                                                                                                                • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1234038744-3931177956
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e53d2376071a0a454f100c0deb841d281f10c897e1d0289cdb071a5aed9fd298
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 3b23d460225e4239a8cca1fa1a2193f34053e033c50a23921acb617b1edea68b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e53d2376071a0a454f100c0deb841d281f10c897e1d0289cdb071a5aed9fd298
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 77D1F331A00229DBDB109F66E885BBDB7F5BF55700F1880EAF806AB990DB70DD41DB61
                                                                                                                                                                                                                                                                                                                                                                                Function 00C3B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C3B6AE,?,?), ref: 00C3C9B5
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C3C998: _wcslen.LIBCMT ref: 00C3C9F1
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C3C998: _wcslen.LIBCMT ref: 00C3CA68
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C3C998: _wcslen.LIBCMT ref: 00C3CA9E
                                                                                                                                                                                                                                                                                                                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C3B6F4
                                                                                                                                                                                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C3B772
                                                                                                                                                                                                                                                                                                                                                                                • RegDeleteValueW.ADVAPI32(?,?), ref: 00C3B80A
                                                                                                                                                                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 00C3B87E
                                                                                                                                                                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 00C3B89C
                                                                                                                                                                                                                                                                                                                                                                                • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C3B8F2
                                                                                                                                                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C3B904
                                                                                                                                                                                                                                                                                                                                                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00C3B922
                                                                                                                                                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00C3B983
                                                                                                                                                                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 00C3B994
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                                                                                                                                                                                                                                                                                                                                • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 146587525-4033151799
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 027af3bd854f369fc5d642870f8548ec8c34fed236fd3a0f35f070a31d1177cb
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: d3233c9a9fb7ffeb5b5b8cfc6e23b3b589735a62fad5fde400e189e2294359fa
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 027af3bd854f369fc5d642870f8548ec8c34fed236fd3a0f35f070a31d1177cb
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4CC18B34218201AFD714DF14C495F6ABBE5FF85308F14859CF6AA8B2A2CB71ED45CB92
                                                                                                                                                                                                                                                                                                                                                                                Function 00C3255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetDC.USER32(00000000), ref: 00C325D8
                                                                                                                                                                                                                                                                                                                                                                                • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00C325E8
                                                                                                                                                                                                                                                                                                                                                                                • CreateCompatibleDC.GDI32(?), ref: 00C325F4
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(00000000,?), ref: 00C32601
                                                                                                                                                                                                                                                                                                                                                                                • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00C3266D
                                                                                                                                                                                                                                                                                                                                                                                • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00C326AC
                                                                                                                                                                                                                                                                                                                                                                                • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00C326D0
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(?,?), ref: 00C326D8
                                                                                                                                                                                                                                                                                                                                                                                • DeleteObject.GDI32(?), ref: 00C326E1
                                                                                                                                                                                                                                                                                                                                                                                • DeleteDC.GDI32(?), ref: 00C326E8
                                                                                                                                                                                                                                                                                                                                                                                • ReleaseDC.USER32(00000000,?), ref: 00C326F3
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                                                                                                                                                                                                                                                                                • String ID: (
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2598888154-3887548279
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f66f0e0b6a9b0bf61fd2cf10f5ad90a545f78f512a52240fae93bf96257e9fff
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ef3c87b2d232407bb8ef4762968551e74303a5bab0230c295b667ef6bc9962ae
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f66f0e0b6a9b0bf61fd2cf10f5ad90a545f78f512a52240fae93bf96257e9fff
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8761E275D01219EFCF14CFA4D885AAEBBF6FF48310F208529E956A7260D770A941DF90
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 00C1369C
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C136A7
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C13797
                                                                                                                                                                                                                                                                                                                                                                                • GetClassNameW.USER32(?,?,00000400), ref: 00C1380C
                                                                                                                                                                                                                                                                                                                                                                                • GetDlgCtrlID.USER32(?), ref: 00C1385D
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 00C13882
                                                                                                                                                                                                                                                                                                                                                                                • GetParent.USER32(?), ref: 00C138A0
                                                                                                                                                                                                                                                                                                                                                                                • ScreenToClient.USER32(00000000), ref: 00C138A7
                                                                                                                                                                                                                                                                                                                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 00C13921
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowTextW.USER32(?,?,00000400), ref: 00C1395D
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: %s%u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4010501982-679674701
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 47410e8ae1a9ec4724ba09ea5792363b5e4e0157ce544dd13b389215763b0e17
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: bd2e2f847552133ec9aea22b68771fcbd467c82897cb612996d7b4564ede8c76
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 47410e8ae1a9ec4724ba09ea5792363b5e4e0157ce544dd13b389215763b0e17
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6A91D371200646AFD719DF24C885FEAF7E8FF46354F008529F9A9D2190DB30EA85DBA1
                                                                                                                                                                                                                                                                                                                                                                                Function 00C14954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetClassNameW.USER32(?,?,00000400), ref: 00C14994
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowTextW.USER32(?,?,00000400), ref: 00C149DA
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C149EB
                                                                                                                                                                                                                                                                                                                                                                                • CharUpperBuffW.USER32(?,00000000), ref: 00C149F7
                                                                                                                                                                                                                                                                                                                                                                                • _wcsstr.LIBVCRUNTIME ref: 00C14A2C
                                                                                                                                                                                                                                                                                                                                                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 00C14A64
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowTextW.USER32(?,?,00000400), ref: 00C14A9D
                                                                                                                                                                                                                                                                                                                                                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 00C14AE6
                                                                                                                                                                                                                                                                                                                                                                                • GetClassNameW.USER32(?,?,00000400), ref: 00C14B20
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 00C14B8B
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                                                                                                                                                                                                                                                                                                                                • String ID: ThumbnailClass
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1311036022-1241985126
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 443e44f79971582bf0fdc639bf6a66b58db6027f5dfaf77c7f8753cb7f1d87c0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 4a41db6259be2d5fb378253914572ea1a5229ca71dc747c471314b71dab02e95
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 443e44f79971582bf0fdc639bf6a66b58db6027f5dfaf77c7f8753cb7f1d87c0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6791C3710082059FDB08CF14C985FEAB7E8FF46354F04846AFD959A195EB30EE85EBA1
                                                                                                                                                                                                                                                                                                                                                                                Function 00C48D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BC9BB2
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C48D5A
                                                                                                                                                                                                                                                                                                                                                                                • GetFocus.USER32 ref: 00C48D6A
                                                                                                                                                                                                                                                                                                                                                                                • GetDlgCtrlID.USER32(00000000), ref: 00C48D75
                                                                                                                                                                                                                                                                                                                                                                                • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00C48E1D
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00C48ECF
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemCount.USER32(?), ref: 00C48EEC
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemID.USER32(?,00000000), ref: 00C48EFC
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00C48F2E
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00C48F70
                                                                                                                                                                                                                                                                                                                                                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C48FA1
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 0
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1026556194-4108050209
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: de5ad3a357dbc5c8129a27005614fba10cbf676d004b930420c9ad1f195b8fb8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f291f435e526f2f6d9a3ec20fa442e952c197bc500fd2d68bea266c25f578513
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: de5ad3a357dbc5c8129a27005614fba10cbf676d004b930420c9ad1f195b8fb8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8C81C075508301AFEB10CF24C884BAF7BE9FB89714F04095DF9A497291DB30DA09DB62
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C1DC20
                                                                                                                                                                                                                                                                                                                                                                                • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C1DC46
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C1DC50
                                                                                                                                                                                                                                                                                                                                                                                • _wcsstr.LIBVCRUNTIME ref: 00C1DCA0
                                                                                                                                                                                                                                                                                                                                                                                • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C1DCBC
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                                                                                                                                                                                                                                                                                                                                                • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1939486746-1459072770
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 1309f61d9c094e158845541371452519b8fc621be6147bc41331001a8bb22cbe
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 6780fbce1cfed0dc513c693482d82cf8f988a648c53ebd1e59e686fa3ce31969
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1309f61d9c094e158845541371452519b8fc621be6147bc41331001a8bb22cbe
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F841E432A406017BDB10A765AC43FFF77ACEF52710F1040EAF901A6292FB749A0197B5
                                                                                                                                                                                                                                                                                                                                                                                Function 00C3CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C3CC64
                                                                                                                                                                                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00C3CC8D
                                                                                                                                                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C3CD48
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C3CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00C3CCAA
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C3CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00C3CCBD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C3CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C3CCCF
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C3CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C3CD05
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C3CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C3CD28
                                                                                                                                                                                                                                                                                                                                                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00C3CCF3
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                                                                                                                                                                                                                                                                                                                                • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2734957052-4033151799
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 2b3434581ac4319cfbab86fc80a9abdfaacd31d2034265732c08a3f5c75c0a8c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1b54d5a933d4a51bb43ebd4b6e14985672d9c3c943a49dad19f783008d363321
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2b3434581ac4319cfbab86fc80a9abdfaacd31d2034265732c08a3f5c75c0a8c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 87315A75902129BBDB208B65DCC8FFFBB7CEF46750F000165F916E2250DA349A45DBA0
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • timeGetTime.WINMM ref: 00C1E6B4
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BCE551: timeGetTime.WINMM(?,?,00C1E6D4), ref: 00BCE555
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(0000000A), ref: 00C1E6E1
                                                                                                                                                                                                                                                                                                                                                                                • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00C1E705
                                                                                                                                                                                                                                                                                                                                                                                • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C1E727
                                                                                                                                                                                                                                                                                                                                                                                • SetActiveWindow.USER32 ref: 00C1E746
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C1E754
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 00C1E773
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(000000FA), ref: 00C1E77E
                                                                                                                                                                                                                                                                                                                                                                                • IsWindow.USER32 ref: 00C1E78A
                                                                                                                                                                                                                                                                                                                                                                                • EndDialog.USER32(00000000), ref: 00C1E79B
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                                                                                                                                                                                                                                                                                • String ID: BUTTON
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1194449130-3405671355
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 89a836b2a4dfff032caf195c27734820117a624e2e59271bece18ed26df36d8b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 929b84309d763141e6d86703c286d408038c831437228a423c4abea16220ed84
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 89a836b2a4dfff032caf195c27734820117a624e2e59271bece18ed26df36d8b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9E216F74201644AFFB005F60ECCDBAD3BA9FB57748B144424FD15C22B1EB71AC40AB68
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD
                                                                                                                                                                                                                                                                                                                                                                                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C1EA5D
                                                                                                                                                                                                                                                                                                                                                                                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C1EA73
                                                                                                                                                                                                                                                                                                                                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C1EA84
                                                                                                                                                                                                                                                                                                                                                                                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C1EA96
                                                                                                                                                                                                                                                                                                                                                                                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C1EAA7
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: SendString$_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2420728520-1007645807
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: cb7bcb0294aecc269023ce8aa9876545a3db67dcb06f24cc73bd03a4d7559a2c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ad832bded8240efc0f3077b1d7b837e13e536c77de0e1f4aa80c527a9d9a1f11
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cb7bcb0294aecc269023ce8aa9876545a3db67dcb06f24cc73bd03a4d7559a2c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8F115131A502697AD720A7A2DC4AEFF6EBCEFD2F40F444479B915A20D1EAB00A45D5B0
                                                                                                                                                                                                                                                                                                                                                                                Function 00C15CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,00000001), ref: 00C15CE2
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(00000000,?), ref: 00C15CFB
                                                                                                                                                                                                                                                                                                                                                                                • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00C15D59
                                                                                                                                                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,00000002), ref: 00C15D69
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(00000000,?), ref: 00C15D7B
                                                                                                                                                                                                                                                                                                                                                                                • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00C15DCF
                                                                                                                                                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 00C15DDD
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(00000000,?), ref: 00C15DEF
                                                                                                                                                                                                                                                                                                                                                                                • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00C15E31
                                                                                                                                                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,000003EA), ref: 00C15E44
                                                                                                                                                                                                                                                                                                                                                                                • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C15E5A
                                                                                                                                                                                                                                                                                                                                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 00C15E67
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3096461208-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 45298a47033f859f922162e234e6f842fc663b5ce2d13eeca29a6aaba5a3c62f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 4dfccbbd85cb5bf2552c20b8510d26f3d8ce67fbf082a2e7374aae23a62f07b3
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 45298a47033f859f922162e234e6f842fc663b5ce2d13eeca29a6aaba5a3c62f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7D511CB4A00605AFDB18DF69DD89BEEBBB5BF89300F108129F915E6290D7709E40CB50
                                                                                                                                                                                                                                                                                                                                                                                Function 00BC8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BC8BE8,?,00000000,?,?,?,?,00BC8BBA,00000000,?), ref: 00BC8FC5
                                                                                                                                                                                                                                                                                                                                                                                • DestroyWindow.USER32(?), ref: 00BC8C81
                                                                                                                                                                                                                                                                                                                                                                                • KillTimer.USER32(00000000,?,?,?,?,00BC8BBA,00000000,?), ref: 00BC8D1B
                                                                                                                                                                                                                                                                                                                                                                                • DestroyAcceleratorTable.USER32(00000000), ref: 00C06973
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00BC8BBA,00000000,?), ref: 00C069A1
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00BC8BBA,00000000,?), ref: 00C069B8
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00BC8BBA,00000000), ref: 00C069D4
                                                                                                                                                                                                                                                                                                                                                                                • DeleteObject.GDI32(00000000), ref: 00C069E6
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 641708696-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 795fe7685e725f724fdb2bd93b36da0ceb85164173f2e4615be8dd65be844d94
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 51a474fcdea959445aa6f2a4379dc4d2e25588899b43bbe68e339876c94b1f01
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 795fe7685e725f724fdb2bd93b36da0ceb85164173f2e4615be8dd65be844d94
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8661AC31502700DFDB259F14D988B2AB7F1FB41322F1845ACE4529B9B0CB35AE91DFA8
                                                                                                                                                                                                                                                                                                                                                                                Function 00BC9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC9944: GetWindowLongW.USER32(?,000000EB), ref: 00BC9952
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColor.USER32(0000000F), ref: 00BC9862
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ColorLongWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 259745315-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 55e89296936359740e475b3340eed4db80df5ae86ee40c1a3b80e6098e898230
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: fbcfc8a0e5be14383c33541981ba6a9e22e41c61487a8840d02202405e1c1289
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 55e89296936359740e475b3340eed4db80df5ae86ee40c1a3b80e6098e898230
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AE417B35505640AFEB205B389C88FBD3BA5FB06371F144699F9B28B1E2D7719D42DB20
                                                                                                                                                                                                                                                                                                                                                                                Function 00C23388 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 149COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00C233CF
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD
                                                                                                                                                                                                                                                                                                                                                                                • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00C233F0
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: LoadString$_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$G x$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4099089115-2704813766
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 7eb0016f79b07d73f1b3c01beeca31b0823625ebc302cc2d31103e22a49f27d3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 314a98f3583a995c591dda9bab6155b1a05acde39d79cd5877542f4297f416b8
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7eb0016f79b07d73f1b3c01beeca31b0823625ebc302cc2d31103e22a49f27d3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C4516F31900219ABDB15EBA0DD46EFEB7F8EF04740F1441A5B50972061DB756F98DB60
                                                                                                                                                                                                                                                                                                                                                                                Function 00C196E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00BFF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00C19717
                                                                                                                                                                                                                                                                                                                                                                                • LoadStringW.USER32(00000000,?,00BFF7F8,00000001), ref: 00C19720
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD
                                                                                                                                                                                                                                                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00BFF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00C19742
                                                                                                                                                                                                                                                                                                                                                                                • LoadStringW.USER32(00000000,?,00BFF7F8,00000001), ref: 00C19745
                                                                                                                                                                                                                                                                                                                                                                                • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00C19866
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: HandleLoadModuleString$Message_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 747408836-2268648507
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 7db6a97bba817ff4b809b9f72e97c9f0c779706b25e079754cd7f645eee6e82d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 903fe52864735918deda2ac82ca85c8343c8c860b9d12b276e6405210d8d6224
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7db6a97bba817ff4b809b9f72e97c9f0c779706b25e079754cd7f645eee6e82d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E2414072800209ABDB14EBE0CD96EFE77B8EF15740F5400A5F60572092EBB56F48DB61
                                                                                                                                                                                                                                                                                                                                                                                Function 00C33C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • VariantInit.OLEAUT32(?), ref: 00C33C5C
                                                                                                                                                                                                                                                                                                                                                                                • CoInitialize.OLE32(00000000), ref: 00C33C8A
                                                                                                                                                                                                                                                                                                                                                                                • CoUninitialize.OLE32 ref: 00C33C94
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C33D2D
                                                                                                                                                                                                                                                                                                                                                                                • GetRunningObjectTable.OLE32(00000000,?), ref: 00C33DB1
                                                                                                                                                                                                                                                                                                                                                                                • SetErrorMode.KERNEL32(00000001,00000029), ref: 00C33ED5
                                                                                                                                                                                                                                                                                                                                                                                • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00C33F0E
                                                                                                                                                                                                                                                                                                                                                                                • CoGetObject.OLE32(?,00000000,00C4FB98,?), ref: 00C33F2D
                                                                                                                                                                                                                                                                                                                                                                                • SetErrorMode.KERNEL32(00000000), ref: 00C33F40
                                                                                                                                                                                                                                                                                                                                                                                • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C33FC4
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32(?), ref: 00C33FD8
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 429561992-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 6a2cdbad1f0e5ac7a90296c46edf7973d23fa1ccdaabf6c53d870a843cf9ec6a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b9f465cdd9b79714d7ac7e15eb07742636868ba687291e3d2e3bc083f05a90dc
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6a2cdbad1f0e5ac7a90296c46edf7973d23fa1ccdaabf6c53d870a843cf9ec6a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BEC166716183419FC700DF68C884A2BBBE9FF89744F10495DF98A9B260DB71EE45CB52
                                                                                                                                                                                                                                                                                                                                                                                Function 00C27A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CoInitialize.OLE32(00000000), ref: 00C27AF3
                                                                                                                                                                                                                                                                                                                                                                                • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C27B8F
                                                                                                                                                                                                                                                                                                                                                                                • SHGetDesktopFolder.SHELL32(?), ref: 00C27BA3
                                                                                                                                                                                                                                                                                                                                                                                • CoCreateInstance.OLE32(00C4FD08,00000000,00000001,00C76E6C,?), ref: 00C27BEF
                                                                                                                                                                                                                                                                                                                                                                                • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C27C74
                                                                                                                                                                                                                                                                                                                                                                                • CoTaskMemFree.OLE32(?,?), ref: 00C27CCC
                                                                                                                                                                                                                                                                                                                                                                                • SHBrowseForFolderW.SHELL32(?), ref: 00C27D57
                                                                                                                                                                                                                                                                                                                                                                                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C27D7A
                                                                                                                                                                                                                                                                                                                                                                                • CoTaskMemFree.OLE32(00000000), ref: 00C27D81
                                                                                                                                                                                                                                                                                                                                                                                • CoTaskMemFree.OLE32(00000000), ref: 00C27DD6
                                                                                                                                                                                                                                                                                                                                                                                • CoUninitialize.OLE32 ref: 00C27DDC
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2762341140-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 430b5f5cf2d550047421bd3a45f99c47565525b18e1d35f157b1ec07bb047d48
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: c92e3feec489f1e5f222c3962b2b8988d009fc9325af74d4683a1dea8a6294d7
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 430b5f5cf2d550047421bd3a45f99c47565525b18e1d35f157b1ec07bb047d48
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BEC13C75A04119AFCB14DF64D8C8DAEBBF9FF48304B148599E8169B661DB30EE41CB90
                                                                                                                                                                                                                                                                                                                                                                                Function 00C4541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00C45504
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C45515
                                                                                                                                                                                                                                                                                                                                                                                • CharNextW.USER32(00000158), ref: 00C45544
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00C45585
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00C4559B
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C455AC
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$CharNext
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1350042424-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 26dbb3823f4e52620081c970327d05ed6ab9755d582723164529835fe5c5bb75
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 8f6a797200f4927a72f2719759dfac953877710b5bca44430d3e0c1c99efd8ea
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 26dbb3823f4e52620081c970327d05ed6ab9755d582723164529835fe5c5bb75
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 70619074905608EFDF109F65CC84AFE7BB9FF06720F108145F925AB2A2D7748A81DB60
                                                                                                                                                                                                                                                                                                                                                                                Function 00C0FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C0FAAF
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayAllocData.OLEAUT32(?), ref: 00C0FB08
                                                                                                                                                                                                                                                                                                                                                                                • VariantInit.OLEAUT32(?), ref: 00C0FB1A
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayAccessData.OLEAUT32(?,?), ref: 00C0FB3A
                                                                                                                                                                                                                                                                                                                                                                                • VariantCopy.OLEAUT32(?,?), ref: 00C0FB8D
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 00C0FBA1
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32(?), ref: 00C0FBB6
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayDestroyData.OLEAUT32(?), ref: 00C0FBC3
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C0FBCC
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32(?), ref: 00C0FBDE
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C0FBE9
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2706829360-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 5c9b7210ef8144e9c722221f8ac8547f8b6d85e31d740678e9b3fa33e828a61d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e3585c15335c6a1910f1d1c2e5462f81c989ffde8426d1243ea1027f0e1206f0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5c9b7210ef8144e9c722221f8ac8547f8b6d85e31d740678e9b3fa33e828a61d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 49415235A00219DFCB10DF64C894ABDBBB9FF48354F008069E955A7261C734E986CFA0
                                                                                                                                                                                                                                                                                                                                                                                Function 00C19C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetKeyboardState.USER32(?), ref: 00C19CA1
                                                                                                                                                                                                                                                                                                                                                                                • GetAsyncKeyState.USER32(000000A0), ref: 00C19D22
                                                                                                                                                                                                                                                                                                                                                                                • GetKeyState.USER32(000000A0), ref: 00C19D3D
                                                                                                                                                                                                                                                                                                                                                                                • GetAsyncKeyState.USER32(000000A1), ref: 00C19D57
                                                                                                                                                                                                                                                                                                                                                                                • GetKeyState.USER32(000000A1), ref: 00C19D6C
                                                                                                                                                                                                                                                                                                                                                                                • GetAsyncKeyState.USER32(00000011), ref: 00C19D84
                                                                                                                                                                                                                                                                                                                                                                                • GetKeyState.USER32(00000011), ref: 00C19D96
                                                                                                                                                                                                                                                                                                                                                                                • GetAsyncKeyState.USER32(00000012), ref: 00C19DAE
                                                                                                                                                                                                                                                                                                                                                                                • GetKeyState.USER32(00000012), ref: 00C19DC0
                                                                                                                                                                                                                                                                                                                                                                                • GetAsyncKeyState.USER32(0000005B), ref: 00C19DD8
                                                                                                                                                                                                                                                                                                                                                                                • GetKeyState.USER32(0000005B), ref: 00C19DEA
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: State$Async$Keyboard
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 541375521-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 91f8f289900ded9035eea4758fe2153fa3c50375c8e0c93c3b19e795b1d8e371
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 2fa4efbf0620ffda9437e1a7cba06470de9e1441a3cbcc9014a9a4f3a829c978
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 91f8f289900ded9035eea4758fe2153fa3c50375c8e0c93c3b19e795b1d8e371
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0A41E5346047C969FF309664D8643E5BEB0EF13304F08805ADAD6566C2DBB49BC8E7A2
                                                                                                                                                                                                                                                                                                                                                                                Function 00C3055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • WSAStartup.WSOCK32(00000101,?), ref: 00C305BC
                                                                                                                                                                                                                                                                                                                                                                                • inet_addr.WSOCK32(?), ref: 00C3061C
                                                                                                                                                                                                                                                                                                                                                                                • gethostbyname.WSOCK32(?), ref: 00C30628
                                                                                                                                                                                                                                                                                                                                                                                • IcmpCreateFile.IPHLPAPI ref: 00C30636
                                                                                                                                                                                                                                                                                                                                                                                • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C306C6
                                                                                                                                                                                                                                                                                                                                                                                • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C306E5
                                                                                                                                                                                                                                                                                                                                                                                • IcmpCloseHandle.IPHLPAPI(?), ref: 00C307B9
                                                                                                                                                                                                                                                                                                                                                                                • WSACleanup.WSOCK32 ref: 00C307BF
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Ping
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1028309954-2246546115
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 47523ce5403321b0b760029afdfa29d210b2afe7244bbb7c40060b27bf63b378
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: c80dba68784eac38fb2751c648596315961bd0aae096480194a72fa1e0e2ac5f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 47523ce5403321b0b760029afdfa29d210b2afe7244bbb7c40060b27bf63b378
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D0918D366182019FD320DF15C899F2ABBE0BF45318F2485A9F46A9B6A2C770ED45CF91
                                                                                                                                                                                                                                                                                                                                                                                Function 00C38CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen$BuffCharLower
                                                                                                                                                                                                                                                                                                                                                                                • String ID: cdecl$none$stdcall$winapi
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 707087890-567219261
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 15bbc1a9e395f06fb776ee50cb18d51ced67490d6157b8a968c2860117916af7
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b48f0b72abca81498e4e0cee6bce29e03078afe0b7de100bcf3450108a5af8b4
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 15bbc1a9e395f06fb776ee50cb18d51ced67490d6157b8a968c2860117916af7
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5651AF35A106169BCF14DF68C9909BEB7E5BF65720F204229F826E72C4EB34DE48C790
                                                                                                                                                                                                                                                                                                                                                                                Function 00C3372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CoInitialize.OLE32 ref: 00C33774
                                                                                                                                                                                                                                                                                                                                                                                • CoUninitialize.OLE32 ref: 00C3377F
                                                                                                                                                                                                                                                                                                                                                                                • CoCreateInstance.OLE32(?,00000000,00000017,00C4FB78,?), ref: 00C337D9
                                                                                                                                                                                                                                                                                                                                                                                • IIDFromString.OLE32(?,?), ref: 00C3384C
                                                                                                                                                                                                                                                                                                                                                                                • VariantInit.OLEAUT32(?), ref: 00C338E4
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32(?), ref: 00C33936
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 636576611-1287834457
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 9aab507ecfb28d79df5c870cb76b2f83b21ee9ef114da0168e8967fa21f6c4e3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: cd95b3ed7cfd03a0d618136ee50b93edf642f46e313be9c095b5b32aae8a6787
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9aab507ecfb28d79df5c870cb76b2f83b21ee9ef114da0168e8967fa21f6c4e3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3161BF74618341AFD310DF54C889FAABBE8EF49710F10495EF9959B2A1C770EE48CB92
                                                                                                                                                                                                                                                                                                                                                                                Function 00C28195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetLocalTime.KERNEL32(?), ref: 00C28257
                                                                                                                                                                                                                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00C28267
                                                                                                                                                                                                                                                                                                                                                                                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C28273
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C28310
                                                                                                                                                                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C28324
                                                                                                                                                                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C28356
                                                                                                                                                                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C2838C
                                                                                                                                                                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C28395
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CurrentDirectoryTime$File$Local$System
                                                                                                                                                                                                                                                                                                                                                                                • String ID: *.*
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1464919966-438819550
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 628ec36fd28e6faa6f32187136c21619fbd21573f64bc133c131b20cb4538f8a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: a27f08964f93cbc7aeda5f7c6a3affea2415cbe7aa72bf2eb7ac87e12459f5b0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 628ec36fd28e6faa6f32187136c21619fbd21573f64bc133c131b20cb4538f8a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BD618F725043159FC710EF64D840AAEB3E8FF89310F04895EF999C7261EB75E949CB92
                                                                                                                                                                                                                                                                                                                                                                                Function 00C48B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BC9BB2
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC912D: GetCursorPos.USER32(?), ref: 00BC9141
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC912D: ScreenToClient.USER32(00000000,?), ref: 00BC915E
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC912D: GetAsyncKeyState.USER32(00000001), ref: 00BC9183
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC912D: GetAsyncKeyState.USER32(00000002), ref: 00BC919D
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00C48B6B
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_EndDrag.COMCTL32 ref: 00C48B71
                                                                                                                                                                                                                                                                                                                                                                                • ReleaseCapture.USER32 ref: 00C48B77
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowTextW.USER32(?,00000000), ref: 00C48C12
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00C48C25
                                                                                                                                                                                                                                                                                                                                                                                • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00C48CFF
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                                                                                                                                                                                                                                                                                                                • String ID: x$@GUI_DRAGFILE$@GUI_DROPID
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1924731296-2969167533
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 320161c37fc8c2896ce718ea6b9aef170e220f67845fbb042b5277f9d520d933
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e2c436d64f04251b2e66df2b0fd80ec0d0ece9f47b3965273617099a85495a79
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 320161c37fc8c2896ce718ea6b9aef170e220f67845fbb042b5277f9d520d933
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 50516970505204AFD704EF24DC96FAE77E8FB88714F14066DF996A72E1CB709A08CB62
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen$BuffCharUpper
                                                                                                                                                                                                                                                                                                                                                                                • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1256254125-769500911
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f073f4dbd27d5f2d762610be2911a4707d00ad570fcf33ba084e31de4b638ed3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b61fd795acfc1ffd46c506ec4a561ebe325993b3dab8e0081d2a636fbfe41eda
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f073f4dbd27d5f2d762610be2911a4707d00ad570fcf33ba084e31de4b638ed3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7741D632A001269BCB145F7D88905FEB7A5AF72794B244169F435D7284F735CEC1DB90
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1BC5E Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 137windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C1BCFD
                                                                                                                                                                                                                                                                                                                                                                                • IsMenu.USER32(00000000), ref: 00C1BD1D
                                                                                                                                                                                                                                                                                                                                                                                • CreatePopupMenu.USER32 ref: 00C1BD53
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemCount.USER32(8U), ref: 00C1BDA4
                                                                                                                                                                                                                                                                                                                                                                                • InsertMenuItemW.USER32(8U,?,00000001,00000030), ref: 00C1BDCC
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 0$2$8U$8U
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 93392585-1347227454
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 6be1ed370342ebc5cf137a1f00082f34c98b4bf67f8a5f0d8645de308b1140fd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b7da2c08110ac3bbed348fbfdd7b1b2eef7aff500795eba2133d55b82ddd35bc
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6be1ed370342ebc5cf137a1f00082f34c98b4bf67f8a5f0d8645de308b1140fd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 80518C70A002059BDB18EFA9E8C4BEEBBF4BF5A314F144159F42197298D770AE81EF51
                                                                                                                                                                                                                                                                                                                                                                                Function 00C25393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SetErrorMode.KERNEL32(00000001), ref: 00C253A0
                                                                                                                                                                                                                                                                                                                                                                                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C25416
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00C25420
                                                                                                                                                                                                                                                                                                                                                                                • SetErrorMode.KERNEL32(00000000,READY), ref: 00C254A7
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                                                                                                                                                                                                                                                                                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4194297153-14809454
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 4d06da961d65b6414c90cfe3ed7e1392316882f680a63e0505065193d07d3e2e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 409a17e1fb92d06d816029032e1af2ddd615dc1edb75bed3995690f18cc791e5
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4d06da961d65b6414c90cfe3ed7e1392316882f680a63e0505065193d07d3e2e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2431F075A006149FCB10EF68D884BEABBB4FF05305F148066E915CB6A2DB70DE82CB90
                                                                                                                                                                                                                                                                                                                                                                                Function 00C43C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CreateMenu.USER32 ref: 00C43C79
                                                                                                                                                                                                                                                                                                                                                                                • SetMenu.USER32(?,00000000), ref: 00C43C88
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C43D10
                                                                                                                                                                                                                                                                                                                                                                                • IsMenu.USER32(?), ref: 00C43D24
                                                                                                                                                                                                                                                                                                                                                                                • CreatePopupMenu.USER32 ref: 00C43D2E
                                                                                                                                                                                                                                                                                                                                                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C43D5B
                                                                                                                                                                                                                                                                                                                                                                                • DrawMenuBar.USER32 ref: 00C43D63
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 0$F
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 161812096-3044882817
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 40e74ca1be631e3d11052a784d63e46af551ef0b2487629a19b03286e4a1d0da
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 4cacafd5f344d7283464c4ac8955fae036bbb127cecca3d3f317ac7a6cfcb97d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 40e74ca1be631e3d11052a784d63e46af551ef0b2487629a19b03286e4a1d0da
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EF415979A02209AFDB14CF64D888BAE7BB5FF89350F140029F956A7360D770AA10DF94
                                                                                                                                                                                                                                                                                                                                                                                Function 00C43A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C43A9D
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C43AA0
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00C43AC7
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C43AEA
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C43B62
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00C43BAC
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00C43BC7
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00C43BE2
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00C43BF6
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00C43C13
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$LongWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 312131281-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 156b2a161b5de10e38d648569bbab12c39f57437244c24262d1143c737352567
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 76bf812ebc9c4da051c46df52e71eb0e08bbbbc03ddc8932d7b9d69d527101aa
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 156b2a161b5de10e38d648569bbab12c39f57437244c24262d1143c737352567
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1D616675A00248AFDB10DFA8CC81FEE77F8FB49710F144199FA15A72A1C770AA46DB50
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00C1B151
                                                                                                                                                                                                                                                                                                                                                                                • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C1A1E1,?,00000001), ref: 00C1B165
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowThreadProcessId.USER32(00000000), ref: 00C1B16C
                                                                                                                                                                                                                                                                                                                                                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C1A1E1,?,00000001), ref: 00C1B17B
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C1B18D
                                                                                                                                                                                                                                                                                                                                                                                • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00C1A1E1,?,00000001), ref: 00C1B1A6
                                                                                                                                                                                                                                                                                                                                                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C1A1E1,?,00000001), ref: 00C1B1B8
                                                                                                                                                                                                                                                                                                                                                                                • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C1A1E1,?,00000001), ref: 00C1B1FD
                                                                                                                                                                                                                                                                                                                                                                                • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00C1A1E1,?,00000001), ref: 00C1B212
                                                                                                                                                                                                                                                                                                                                                                                • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00C1A1E1,?,00000001), ref: 00C1B21D
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2156557900-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 5a16cd6cfd75da6988a48194e567e84ef98c1ab5998429bee73131cf5e0aca5c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 5fae0942e819f8f69b0458a99dc0bbd8932c8c5978e3ea40b902d5bd8b291f7e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5a16cd6cfd75da6988a48194e567e84ef98c1ab5998429bee73131cf5e0aca5c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A031DD75601204BFDB10AF64DC98FED7BA9BB63711F218004FA15DA1A0D7B89E849F68
                                                                                                                                                                                                                                                                                                                                                                                Function 00BE2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BE2C94
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BED7D1,00000000,00000000,00000000,00000000,?,00BED7F8,00000000,00000007,00000000,?,00BEDBF5,00000000), ref: 00BE29DE
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BE29C8: GetLastError.KERNEL32(00000000,?,00BED7D1,00000000,00000000,00000000,00000000,?,00BED7F8,00000000,00000007,00000000,?,00BEDBF5,00000000,00000000), ref: 00BE29F0
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BE2CA0
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BE2CAB
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BE2CB6
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BE2CC1
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BE2CCC
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BE2CD7
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BE2CE2
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BE2CED
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BE2CFB
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: fbd9e93e1eb44c2890cbd353b81c9ab0a163314c4b471441e012840ea08cea38
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 7f832721d1665246a310230547a32a041dc404610e9894536d33bc48754213ac
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fbd9e93e1eb44c2890cbd353b81c9ab0a163314c4b471441e012840ea08cea38
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7911937A100148AFCB02EF56D882CDD3BA9FF05350F5254A5FA489B322DB39EA509B90
                                                                                                                                                                                                                                                                                                                                                                                Function 00C27DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C27FAD
                                                                                                                                                                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C27FC1
                                                                                                                                                                                                                                                                                                                                                                                • GetFileAttributesW.KERNEL32(?), ref: 00C27FEB
                                                                                                                                                                                                                                                                                                                                                                                • SetFileAttributesW.KERNEL32(?,00000000), ref: 00C28005
                                                                                                                                                                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C28017
                                                                                                                                                                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C28060
                                                                                                                                                                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C280B0
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CurrentDirectory$AttributesFile
                                                                                                                                                                                                                                                                                                                                                                                • String ID: *.*
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 769691225-438819550
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 53ab3266db12fc28959fbafe0449a55ad12ae2c7d408c02dd7e0c115ac10728f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 7e0f77e323425064f2d46d4f24be92261b22408ae793561fb16716f083d40fe9
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 53ab3266db12fc28959fbafe0449a55ad12ae2c7d408c02dd7e0c115ac10728f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0981CF725082119FCB20EF15D880ABEB3E8BF89310F15499EF895C7650EB74DE48CB62
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowLongW.USER32(?,000000EB), ref: 00BB5C7A
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB5D0A: GetClientRect.USER32(?,?), ref: 00BB5D30
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB5D0A: GetWindowRect.USER32(?,?), ref: 00BB5D71
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB5D0A: ScreenToClient.USER32(?,?), ref: 00BB5D99
                                                                                                                                                                                                                                                                                                                                                                                • GetDC.USER32 ref: 00BF46F5
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00BF4708
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00BF4716
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00BF472B
                                                                                                                                                                                                                                                                                                                                                                                • ReleaseDC.USER32(?,00000000), ref: 00BF4733
                                                                                                                                                                                                                                                                                                                                                                                • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00BF47C4
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: U
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4009187628-3372436214
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: cf5698a62871a2bb1be84a609a530086dab194572b20b930185b23c3cf8928bc
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 168d25aadb360cf69b1ccce38cf3359937b7a9c56f9fc6722fbed237db997e4e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cf5698a62871a2bb1be84a609a530086dab194572b20b930185b23c3cf8928bc
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7F71BA34400209EFCF219F64C984BFA7BF6FF4A360F1842A9EA559B2A6C7709C45DB51
                                                                                                                                                                                                                                                                                                                                                                                Function 00C2359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00C235E4
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD
                                                                                                                                                                                                                                                                                                                                                                                • LoadStringW.USER32(00C82390,?,00000FFF,?), ref: 00C2360A
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: LoadString$_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4099089115-2391861430
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 48835b0ebbb39647c10cb8ad43f2ab39e9ba5d10122025826243dd9e6be1966a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 43fdd88d30e17fda2e0d85528493623801b69f48b87dc13b6d99c9052783bb36
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 48835b0ebbb39647c10cb8ad43f2ab39e9ba5d10122025826243dd9e6be1966a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 70516A71800219ABCF14EBA0DC82EFEBBB8EF04740F1441A5F505720A1EB705B99EFA4
                                                                                                                                                                                                                                                                                                                                                                                Function 00C2C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C2C272
                                                                                                                                                                                                                                                                                                                                                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C2C29A
                                                                                                                                                                                                                                                                                                                                                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C2C2CA
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00C2C322
                                                                                                                                                                                                                                                                                                                                                                                • SetEvent.KERNEL32(?), ref: 00C2C336
                                                                                                                                                                                                                                                                                                                                                                                • InternetCloseHandle.WININET(00000000), ref: 00C2C341
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3113390036-3916222277
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 1cb546222e18bd81522cd01846393d9b4e709142b6b376a373edf52154164cdc
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 6611e395ee76f40ac32a1b6cdc6c55682e4eb07e3a016c48413939f40d9bd518
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1cb546222e18bd81522cd01846393d9b4e709142b6b376a373edf52154164cdc
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 38319CB1500614AFD721DFA5A8C8BAF7AFCEB49740B10891AA45692620DB74DD049B60
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00BF3AAF,?,?,Bad directive syntax error,00C4CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C198BC
                                                                                                                                                                                                                                                                                                                                                                                • LoadStringW.USER32(00000000,?,00BF3AAF,?), ref: 00C198C3
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD
                                                                                                                                                                                                                                                                                                                                                                                • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C19987
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: HandleLoadMessageModuleString_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 858772685-4153970271
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 5587f06ef9e1318d4575dbd0cd29a040ed750921d410ad162f7f6708848e0f5e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 69a1af26f095741c7d6af19b1254014bf8e10b848a39d3d99596492196da0c41
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5587f06ef9e1318d4575dbd0cd29a040ed750921d410ad162f7f6708848e0f5e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B5217E3180021ABBCF15AF90CC56EFE7BB5FF19700F0444A9F519660A2EBB19A58DB10
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetParent.USER32 ref: 00C120AB
                                                                                                                                                                                                                                                                                                                                                                                • GetClassNameW.USER32(00000000,?,00000100), ref: 00C120C0
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C1214D
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ClassMessageNameParentSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1290815626-3381328864
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 0e49b6b4a0179441673d744c57fbef0bb6c42d40f5150509763cb068956cbf6f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 87df851577149b32b7a61761e2388d99a6031fed9c205d29e35528f4768d1b53
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0e49b6b4a0179441673d744c57fbef0bb6c42d40f5150509763cb068956cbf6f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 78113A7E684706BBF605A220DC06DFE779CDB07324B305066FB08A40E1FBA15C916514
                                                                                                                                                                                                                                                                                                                                                                                Function 00BE8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: cf6364c9c21896e17ef59914a7515471d6cdb380bf87bfcc7974b2e8919b8af3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b61104ddae5fdf8ac971a63d77b8778d64918b083a8f2ab15a28e21e554ceb94
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cf6364c9c21896e17ef59914a7515471d6cdb380bf87bfcc7974b2e8919b8af3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6EC1E074A04289AFDB11DFAAC881BADBBF0EF09310F5441D9F919AB393C7309945CB61
                                                                                                                                                                                                                                                                                                                                                                                Function 00BECE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1282221369-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 1b6536133b65070c620eafd8be89a9b1dc84dc6366eff8163411dd95d5db8dc3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 7491396068312c92a3a0a9c278358dabb7f8cf52fbccc254aa35cfe73fb254a7
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1b6536133b65070c620eafd8be89a9b1dc84dc6366eff8163411dd95d5db8dc3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A8614572904294AFDB21AFB69891B6D7FE9EF05320F1441EEF90497383D7359D0A8790
                                                                                                                                                                                                                                                                                                                                                                                Function 00C450D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00C45186
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(?,00000000), ref: 00C451C7
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(?,00000005,?,00000000), ref: 00C451CD
                                                                                                                                                                                                                                                                                                                                                                                • SetFocus.USER32(?,?,00000005,?,00000000), ref: 00C451D1
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C46FBA: DeleteObject.GDI32(00000000), ref: 00C46FE6
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00C4520D
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C4521A
                                                                                                                                                                                                                                                                                                                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00C4524D
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00C45287
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00C45296
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3210457359-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 00078fb5f5da09d7748566de893fd07db14f6f85e03f3a968f66527311932297
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 828e3677ec630333469b05fbd03790d3729eb5bc416031c3b060cef939558dac
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 00078fb5f5da09d7748566de893fd07db14f6f85e03f3a968f66527311932297
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 13519134A41A08FFEF309F25CC49BDD3BA5FB05321F148116FA25962E2C7B5AA80DB41
                                                                                                                                                                                                                                                                                                                                                                                Function 00BC8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00C06890
                                                                                                                                                                                                                                                                                                                                                                                • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00C068A9
                                                                                                                                                                                                                                                                                                                                                                                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C068B9
                                                                                                                                                                                                                                                                                                                                                                                • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00C068D1
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C068F2
                                                                                                                                                                                                                                                                                                                                                                                • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00BC8874,00000000,00000000,00000000,000000FF,00000000), ref: 00C06901
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C0691E
                                                                                                                                                                                                                                                                                                                                                                                • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00BC8874,00000000,00000000,00000000,000000FF,00000000), ref: 00C0692D
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1268354404-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f595a9d709f3215acf92e7adcad656689b50127e8f239ff1f77c699e9c7289fd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 83336b0f095f005bc39fdcb1c581b3f5a29e113ed5f022e44fe1f6996a726a3c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f595a9d709f3215acf92e7adcad656689b50127e8f239ff1f77c699e9c7289fd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A0516570600209AFEB208F24CC95FAA7BF5FB48760F104558F956972E0DB71AE91DB50
                                                                                                                                                                                                                                                                                                                                                                                Function 00C2C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C2C182
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00C2C195
                                                                                                                                                                                                                                                                                                                                                                                • SetEvent.KERNEL32(?), ref: 00C2C1A9
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C2C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C2C272
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C2C253: GetLastError.KERNEL32 ref: 00C2C322
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C2C253: SetEvent.KERNEL32(?), ref: 00C2C336
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C2C253: InternetCloseHandle.WININET(00000000), ref: 00C2C341
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 337547030-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 2e0118ab5c7c7f4812316c387ddf06eaa4bf71270e380b8586ea0891a2cf7584
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b20ab6a616ac72410be9d64f5cb377f8daa4feef14744f2044d5a4367f3b6e2d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2e0118ab5c7c7f4812316c387ddf06eaa4bf71270e380b8586ea0891a2cf7584
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 66318E75201611EFDB219FA5ED84B6EBBF8FF19300B00441DF96683A20DB71E914EBA0
                                                                                                                                                                                                                                                                                                                                                                                Function 00C125A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C13A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C13A57
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C13A3D: GetCurrentThreadId.KERNEL32 ref: 00C13A5E
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C13A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C125B3), ref: 00C13A65
                                                                                                                                                                                                                                                                                                                                                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C125BD
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C125DB
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00C125DF
                                                                                                                                                                                                                                                                                                                                                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C125E9
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C12601
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00C12605
                                                                                                                                                                                                                                                                                                                                                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C1260F
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C12623
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00C12627
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2014098862-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 7f05702f6d4dbf18a781573c03e1b2a38f1a6d333dcc52a9d92f2c8c568b4efe
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: c852768b4effc6d84100fca3e12930fa4acaa517b1191346c84da62220f842bb
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7f05702f6d4dbf18a781573c03e1b2a38f1a6d333dcc52a9d92f2c8c568b4efe
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6301D834791650BBFB1067699CCAF9D3F59EF4FB11F104001F318AE0E1C9E11454AAA9
                                                                                                                                                                                                                                                                                                                                                                                Function 00C11803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00C11449,?,?,00000000), ref: 00C1180C
                                                                                                                                                                                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,00C11449,?,?,00000000), ref: 00C11813
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C11449,?,?,00000000), ref: 00C11828
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32(?,00000000,?,00C11449,?,?,00000000), ref: 00C11830
                                                                                                                                                                                                                                                                                                                                                                                • DuplicateHandle.KERNEL32(00000000,?,00C11449,?,?,00000000), ref: 00C11833
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C11449,?,?,00000000), ref: 00C11843
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32(00C11449,00000000,?,00C11449,?,?,00000000), ref: 00C1184B
                                                                                                                                                                                                                                                                                                                                                                                • DuplicateHandle.KERNEL32(00000000,?,00C11449,?,?,00000000), ref: 00C1184E
                                                                                                                                                                                                                                                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,00C11874,00000000,00000000,00000000), ref: 00C11868
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1957940570-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 145c4001431b4a696471c36ba92c63177701b28e586bd45cc89cb91715e720ed
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f97ac1a25f3113646b881a167be08c480673efa5413900c2d8b279dc182cc309
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 145c4001431b4a696471c36ba92c63177701b28e586bd45cc89cb91715e720ed
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2D01AC75641304BFE650ABA5DC89F5F3B6CFB8AB11F014411FA05DB1A1C67498108B20
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1C5D0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB7620: _wcslen.LIBCMT ref: 00BB7625
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C1C6EE
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C1C735
                                                                                                                                                                                                                                                                                                                                                                                • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C1C79C
                                                                                                                                                                                                                                                                                                                                                                                • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C1C7CA
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ItemMenu$Info_wcslen$Default
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 0$8U$8U
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1227352736-4040796418
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 2f4573375f728ff9da5ab376dc75c41425e5ec16438d0736adcf53716b6fdfd4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 9846d11ea68f6ffc563f2e0376c0096adc2df1f3163ddc4ddd91baf3b5addd76
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2f4573375f728ff9da5ab376dc75c41425e5ec16438d0736adcf53716b6fdfd4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6E51D0716843019BD7109F28C8C5BFF77E8AF46314F040A6DF9A5D21E0DBA0DA84EB96
                                                                                                                                                                                                                                                                                                                                                                                Function 00C3A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00C1D501
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00C1D50F
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1D4DC: CloseHandle.KERNEL32(00000000), ref: 00C1D5DC
                                                                                                                                                                                                                                                                                                                                                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C3A16D
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00C3A180
                                                                                                                                                                                                                                                                                                                                                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C3A1B3
                                                                                                                                                                                                                                                                                                                                                                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 00C3A268
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(00000000), ref: 00C3A273
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00C3A2C4
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                                                                                                                                                                                                                                                                                • String ID: SeDebugPrivilege
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2533919879-2896544425
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 67e40d74f9a9b7c5223ebc203592e435e55f36813ffa7648d92ee5171f587979
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 96539d7dd56494c6bb9aa2db72e2c6b7ac8f50763d1c9d21b4d8446f75b93f1b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 67e40d74f9a9b7c5223ebc203592e435e55f36813ffa7648d92ee5171f587979
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F861B2342142419FD710DF19C494F6ABBE1AF45318F18849CF4AA8B7A3C776ED49CB92
                                                                                                                                                                                                                                                                                                                                                                                Function 00C43886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C43925
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00C4393A
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C43954
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C43999
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001057,00000000,?), ref: 00C439C6
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00C439F4
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$Window_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: SysListView32
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2147712094-78025650
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: acc47aaf3281e66b8b9341736f711f54c7e10ae41b821e0301b0e0f1c09c8cb0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: d034c33f6e17f346f4ca69ac7589583987e7682d6718b3006153ef17f1f21af9
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: acc47aaf3281e66b8b9341736f711f54c7e10ae41b821e0301b0e0f1c09c8cb0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8541B371A00218ABEF219FA4CC49BEE7BA9FF58350F110526F958E7291D7719E84CB90
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • LoadIconW.USER32(00000000,00007F03), ref: 00C1C913
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: IconLoad
                                                                                                                                                                                                                                                                                                                                                                                • String ID: blank$info$question$stop$warning
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2457776203-404129466
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: b1efc7c0a58651d431da627ca1df9f48f4bd9fddef19ab2b1e4e61d02f12f711
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 7c273e90510e8c804b14a67dcde2dfefc66a3e763a785ee3426de0b29ea68960
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b1efc7c0a58651d431da627ca1df9f48f4bd9fddef19ab2b1e4e61d02f12f711
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8E1127326C9706BBA7049B559CC3DEE67DCDF17364F20407BF504AA2C2E7B05E806268
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen$LocalTime
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 952045576-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ad327767fc94c9fc46ab0115570b42132214c0df043cdca52109c3a834195a39
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1276285495151e985199b5b9c2f51834600915ef5f13e358d4aace88e64ae435
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ad327767fc94c9fc46ab0115570b42132214c0df043cdca52109c3a834195a39
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 60416065C1021866CB11EBB4CC8A9CFB7E8AF46710F5085A7E918E3221FB34E695C7E5
                                                                                                                                                                                                                                                                                                                                                                                Function 00BCF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C0682C,00000004,00000000,00000000), ref: 00BCF953
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00C0682C,00000004,00000000,00000000), ref: 00C0F3D1
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C0682C,00000004,00000000,00000000), ref: 00C0F454
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ShowWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1268545403-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 6f087975c4abe8413a8a169a3c320568b2981c828f60b15f806654c11813d7a2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1fccb46d16567e4cf58fa1d74b68f6d91d6ad1b527eb16e74f134f6dc3253059
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6f087975c4abe8413a8a169a3c320568b2981c828f60b15f806654c11813d7a2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 21411630608681BACF788B6988C8F7E7BD3BB46320F1444FCE487569B0C6B1E981CB11
                                                                                                                                                                                                                                                                                                                                                                                Function 00C42D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • DeleteObject.GDI32(00000000), ref: 00C42D1B
                                                                                                                                                                                                                                                                                                                                                                                • GetDC.USER32(00000000), ref: 00C42D23
                                                                                                                                                                                                                                                                                                                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C42D2E
                                                                                                                                                                                                                                                                                                                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 00C42D3A
                                                                                                                                                                                                                                                                                                                                                                                • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00C42D76
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C42D87
                                                                                                                                                                                                                                                                                                                                                                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00C45A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00C42DC2
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00C42DE1
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3864802216-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c348c9f0fe10307c574ad634a300b470756704eff09b23b1483f5b2beba25b4e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: c729d4cc67ccd5bb628aa431b7f4490e390e324c854db61f43190b03a13cf193
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c348c9f0fe10307c574ad634a300b470756704eff09b23b1483f5b2beba25b4e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6C317A76202614BFEB218F50CC8AFEB3FA9FF0A715F044055FE089A2A1C6759C50CBA4
                                                                                                                                                                                                                                                                                                                                                                                Function 00C15622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _memcmp
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2931989736-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 64d5607eaf01e16cc3c5ec1c2555d437c1c8acc016867a3ad69ce4c9b5180efa
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 7ec880cce08dba1748ee74a75b8774a7e3a0d14ea1c9ba7411678af6261ae6d0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 64d5607eaf01e16cc3c5ec1c2555d437c1c8acc016867a3ad69ce4c9b5180efa
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B921F661B40A09FBD2145A258E82FFA739CFFA3394F440035FD049A782F760EE51A1E9
                                                                                                                                                                                                                                                                                                                                                                                Function 00C34FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 0-572801152
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e828d164a5d2a8ee27103eb956f971c7752e3dd53abb0c49034de372dda95896
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1acaac62a93dda31597fa79565b742668eb3ba576f0fe965423f261881805a46
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e828d164a5d2a8ee27103eb956f971c7752e3dd53abb0c49034de372dda95896
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C6D1E375A1060A9FDF14CFA8C880FAEB7B5FF48344F148069E925AB291E771DE41CB90
                                                                                                                                                                                                                                                                                                                                                                                Function 00BF1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00BF17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00BF15CE
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00BF17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BF1651
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00BF17FB,?,00BF17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BF16E4
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00BF17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BF16FB
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BE3820: RtlAllocateHeap.NTDLL(00000000,?,00C81444,?,00BCFDF5,?,?,00BBA976,00000010,00C81440,00BB13FC,?,00BB13C6,?,00BB1129), ref: 00BE3852
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00BF17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BF1777
                                                                                                                                                                                                                                                                                                                                                                                • __freea.LIBCMT ref: 00BF17A2
                                                                                                                                                                                                                                                                                                                                                                                • __freea.LIBCMT ref: 00BF17AE
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2829977744-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: aec4bf137ecbb50699bf0e196628c22bc714bb06998873947beb04fc7125c72f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 3d4bd42a5b8511c6b82e6c67976d1b1a64111241d60b5d075b2e2d1451842bd5
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: aec4bf137ecbb50699bf0e196628c22bc714bb06998873947beb04fc7125c72f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1091B271E0021ADADB209E78C881AFEBBF5EF59310F184E99EA05E7151D735DC48CB60
                                                                                                                                                                                                                                                                                                                                                                                Function 00C34523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Variant$ClearInit
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2610073882-625585964
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: a7a51e3e796a0a02a405462f766b2f388c5030b150de983d14304c83716f118a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 88c44d1c96ccfca649eb3b03b9aa646129af0f10800e139bcd571cf38689e36b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a7a51e3e796a0a02a405462f766b2f388c5030b150de983d14304c83716f118a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4991A171E10219AFDF28CFA5C885FAEBBB8EF46710F108559F515AB290D770A941CFA0
                                                                                                                                                                                                                                                                                                                                                                                Function 00C21187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00C2125C
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00C21284
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00C212A8
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C212D8
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C2135F
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C213C4
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C21430
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2550207440-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 6c0e965ad77eaa99df913d34f17a41b5afc161a67dfe891ade54d919168993f7
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 9b968fdd06d29f27c15fe53de03658187fe99d425e12d92821fd00c02d254b03
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6c0e965ad77eaa99df913d34f17a41b5afc161a67dfe891ade54d919168993f7
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CD911475A002289FDB00DFA8E884BBEB7F5FF55320F294069E910E76A1D774E941CB90
                                                                                                                                                                                                                                                                                                                                                                                Function 00BC948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ObjectSelect$BeginCreatePath
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3225163088-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 3a37cb0d2371aadced3aa97b9130f81d01a59a6aaaf9991b00221775c415287b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 0c8ed45b7a97bdbc7ce678e7dd742161774d79ce4e658c9058f5d18b79444315
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3a37cb0d2371aadced3aa97b9130f81d01a59a6aaaf9991b00221775c415287b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F9910671D00219EFDB14CFA9CC88AEEBBB8FF49320F148599E515B7291D774AA41CB60
                                                                                                                                                                                                                                                                                                                                                                                Function 00C33947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • VariantInit.OLEAUT32(?), ref: 00C3396B
                                                                                                                                                                                                                                                                                                                                                                                • CharUpperBuffW.USER32(?,?), ref: 00C33A7A
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C33A8A
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32(?), ref: 00C33C1F
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C20CDF: VariantInit.OLEAUT32(00000000), ref: 00C20D1F
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C20CDF: VariantCopy.OLEAUT32(?,?), ref: 00C20D28
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C20CDF: VariantClear.OLEAUT32(?), ref: 00C20D34
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4137639002-1221869570
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 8613f31b5dcfd5f3891fb0648f5198f684b22e747549396812ad1989b9ae2b9b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 452b91e32236bcef43abd403413ee7f7b28dbc2f11796472f1a95f9c9d02e08f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8613f31b5dcfd5f3891fb0648f5198f684b22e747549396812ad1989b9ae2b9b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E4919974A183459FC700EF68C48096ABBE4FF89314F14896DF89A9B351DB30EE45CB92
                                                                                                                                                                                                                                                                                                                                                                                Function 00C34BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C0FF41,80070057,?,?,?,00C1035E), ref: 00C1002B
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C0FF41,80070057,?,?), ref: 00C10046
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C0FF41,80070057,?,?), ref: 00C10054
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C0FF41,80070057,?), ref: 00C10064
                                                                                                                                                                                                                                                                                                                                                                                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00C34C51
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C34D59
                                                                                                                                                                                                                                                                                                                                                                                • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00C34DCF
                                                                                                                                                                                                                                                                                                                                                                                • CoTaskMemFree.OLE32(?), ref: 00C34DDA
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                                                                                                                                                                                                                                                                                                                                • String ID: NULL Pointer assignment
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 614568839-2785691316
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d713c6165b6a0701d1f9ef033d39bffa6147be4c02d9e808cd68c4ed289ea09a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 8edff46aea1f493944c9abfca74bc071ea240d3fa230712aa5fd1b6ab10e46a5
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d713c6165b6a0701d1f9ef033d39bffa6147be4c02d9e808cd68c4ed289ea09a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A7910771D0021DAFDF14DFA4D891AEEB7B9FF08310F10416AE915A7291EB74AA45CF60
                                                                                                                                                                                                                                                                                                                                                                                Function 00C37B7E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 230COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BD0242: EnterCriticalSection.KERNEL32(00C8070C,00C81884,?,?,00BC198B,00C82518,?,?,?,00BB12F9,00000000), ref: 00BD024D
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BD0242: LeaveCriticalSection.KERNEL32(00C8070C,?,00BC198B,00C82518,?,?,?,00BB12F9,00000000), ref: 00BD028A
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BD00A3: __onexit.LIBCMT ref: 00BD00A9
                                                                                                                                                                                                                                                                                                                                                                                • __Init_thread_footer.LIBCMT ref: 00C37BFB
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BD01F8: EnterCriticalSection.KERNEL32(00C8070C,?,?,00BC8747,00C82514), ref: 00BD0202
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BD01F8: LeaveCriticalSection.KERNEL32(00C8070C,?,00BC8747,00C82514), ref: 00BD0235
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: x$5$G x$G x$Variable must be of type 'Object'.
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 535116098-4145485933
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: bcb3dc5f1156f5ef3e3165a0ae7dbf24bc664f63a9253778b8eedadb6f26856d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 09ddc6c33a70f95a1d2dd2f221c3a3925950958ea60361ee421f6b53efdb447f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bcb3dc5f1156f5ef3e3165a0ae7dbf24bc664f63a9253778b8eedadb6f26856d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E2919DB0A14209EFCB24EF54D895DBDB7B1FF45304F108199F816AB2A2DB71AE41DB50
                                                                                                                                                                                                                                                                                                                                                                                Function 00C420FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetMenu.USER32(?), ref: 00C42183
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemCount.USER32(00000000), ref: 00C421B5
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00C421DD
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C42213
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemID.USER32(?,?), ref: 00C4224D
                                                                                                                                                                                                                                                                                                                                                                                • GetSubMenu.USER32(?,?), ref: 00C4225B
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C13A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C13A57
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C13A3D: GetCurrentThreadId.KERNEL32 ref: 00C13A5E
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C13A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C125B3), ref: 00C13A65
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C422E3
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1E97B: Sleep.KERNEL32 ref: 00C1E9F3
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4196846111-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 34532afc71b0c25ebebfb8e1cdfab39755d26fcbb6dc0d8d6ab9b19abe2f8676
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 2172d19f042bc5a8af64bba9afdae7117ecbd5d405e88a18f814b114c88d7572
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 34532afc71b0c25ebebfb8e1cdfab39755d26fcbb6dc0d8d6ab9b19abe2f8676
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BE718075A00205AFCB10DF65C886AAEBBF5FF49320F508499F816EB351DB74AE41DB90
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetParent.USER32(?), ref: 00C1AEF9
                                                                                                                                                                                                                                                                                                                                                                                • GetKeyboardState.USER32(?), ref: 00C1AF0E
                                                                                                                                                                                                                                                                                                                                                                                • SetKeyboardState.USER32(?), ref: 00C1AF6F
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000101,00000010,?), ref: 00C1AF9D
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000101,00000011,?), ref: 00C1AFBC
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000101,00000012,?), ref: 00C1AFFD
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C1B020
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 87235514-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: a8891191cc108e4ac12d5943c2f0a61979b7aacb2ad69c1524eef3a7288fec5c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b1fb1c8d93515f1ec822db7b5add68a817ead89fb22779229450a705432392a4
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a8891191cc108e4ac12d5943c2f0a61979b7aacb2ad69c1524eef3a7288fec5c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6051E3E06057D53DFB3682748C45BFA7EA95B07304F088489F1E9454D2C3E8AED9E761
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetParent.USER32(00000000), ref: 00C1AD19
                                                                                                                                                                                                                                                                                                                                                                                • GetKeyboardState.USER32(?), ref: 00C1AD2E
                                                                                                                                                                                                                                                                                                                                                                                • SetKeyboardState.USER32(?), ref: 00C1AD8F
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C1ADBB
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C1ADD8
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C1AE17
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C1AE38
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 87235514-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 816ccdbd261a7dc85f37f938e78c3ee7452845756964bf8c2ca6394e23c7e798
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1f0a8ed6ef9f03f332f5b2ef9954dcaa650d02cb6db454f978344b37f0dafa60
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 816ccdbd261a7dc85f37f938e78c3ee7452845756964bf8c2ca6394e23c7e798
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FF51D6A1505BD53DFB3692348C95BFA7EA86F47300F088488F1E5468C2C2A4EDD8F752
                                                                                                                                                                                                                                                                                                                                                                                Function 00BE542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetConsoleCP.KERNEL32(00BF3CD6,?,?,?,?,?,?,?,?,00BE5BA3,?,?,00BF3CD6,?,?), ref: 00BE5470
                                                                                                                                                                                                                                                                                                                                                                                • __fassign.LIBCMT ref: 00BE54EB
                                                                                                                                                                                                                                                                                                                                                                                • __fassign.LIBCMT ref: 00BE5506
                                                                                                                                                                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00BF3CD6,00000005,00000000,00000000), ref: 00BE552C
                                                                                                                                                                                                                                                                                                                                                                                • WriteFile.KERNEL32(?,00BF3CD6,00000000,00BE5BA3,00000000,?,?,?,?,?,?,?,?,?,00BE5BA3,?), ref: 00BE554B
                                                                                                                                                                                                                                                                                                                                                                                • WriteFile.KERNEL32(?,?,00000001,00BE5BA3,00000000,?,?,?,?,?,?,?,?,?,00BE5BA3,?), ref: 00BE5584
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1324828854-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: da82b8f8ae95301ccf991dc6c023ae4f06cf8bb37bbdfce9070548a58cbea805
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 6162dfb22294cb8b5aaffc90e5bc6f3b0e24a53d48cc602294292089d955630d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: da82b8f8ae95301ccf991dc6c023ae4f06cf8bb37bbdfce9070548a58cbea805
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7551F471A006899FDB20CFA9D885BEEBBF9EF19304F24409AF555E7291D7309A40CB60
                                                                                                                                                                                                                                                                                                                                                                                Function 00BE2051 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _free
                                                                                                                                                                                                                                                                                                                                                                                • String ID: x
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 269201875-3713776305
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 3b43a442a61eda07880525ee95aaa4eb1b480a0d3ca65ed4f39912933f15101d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 0dfeda684c52cb24c49d6a4744b127c1a890d48f512158c37d11036d3bbc5e46
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3b43a442a61eda07880525ee95aaa4eb1b480a0d3ca65ed4f39912933f15101d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9E41D332A002449FDB24DF79C881A5DB7F9EF89314F1545E9E516EB392D731AE01CB81
                                                                                                                                                                                                                                                                                                                                                                                Function 00BD2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 00BD2D4B
                                                                                                                                                                                                                                                                                                                                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 00BD2D53
                                                                                                                                                                                                                                                                                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 00BD2DE1
                                                                                                                                                                                                                                                                                                                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00BD2E0C
                                                                                                                                                                                                                                                                                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 00BD2E61
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c419d2af95f263ba532b42430ea133035979d89f90bc34cc8eb5bc5755889fbb
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: a01c9b027126cf70e3c9ef2939fa97fecea2d500887cb98abfb466010de5021e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c419d2af95f263ba532b42430ea133035979d89f90bc34cc8eb5bc5755889fbb
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9641B534A002499BCF10DF68C885A9EFBF5FF54354F1481E6E815AB392E7329A15CBD1
                                                                                                                                                                                                                                                                                                                                                                                Function 00C310B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C3304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C3307A
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C3304E: _wcslen.LIBCMT ref: 00C3309B
                                                                                                                                                                                                                                                                                                                                                                                • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C31112
                                                                                                                                                                                                                                                                                                                                                                                • WSAGetLastError.WSOCK32 ref: 00C31121
                                                                                                                                                                                                                                                                                                                                                                                • WSAGetLastError.WSOCK32 ref: 00C311C9
                                                                                                                                                                                                                                                                                                                                                                                • closesocket.WSOCK32(00000000), ref: 00C311F9
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2675159561-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 83a9406017701db614ca384e1f0274c143762dceeeab35b1e193ad58c9e1caf4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 7521c806c990bf5e838fb69f98daa1fb1b3e764acffea580bb258fcee6850c13
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 83a9406017701db614ca384e1f0274c143762dceeeab35b1e193ad58c9e1caf4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B741C135610204AFDB109F14C885BEEBBE9FF45364F188059FD1A9B2A2C774AE41CBA1
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C1CF22,?), ref: 00C1DDFD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C1CF22,?), ref: 00C1DE16
                                                                                                                                                                                                                                                                                                                                                                                • lstrcmpiW.KERNEL32(?,?), ref: 00C1CF45
                                                                                                                                                                                                                                                                                                                                                                                • MoveFileW.KERNEL32(?,?), ref: 00C1CF7F
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C1D005
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C1D01B
                                                                                                                                                                                                                                                                                                                                                                                • SHFileOperationW.SHELL32(?), ref: 00C1D061
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                                                                                                                                                                                                                                                                                                                                • String ID: \*.*
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3164238972-1173974218
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 215b4fac5fa786e0cb9dcb027ca29b225f5b354832ffa61c40342e4a7e2a846c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 53deee3223e67f2f647b0e1484e30a06450f109ec8b94702907289dd30d46682
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 215b4fac5fa786e0cb9dcb027ca29b225f5b354832ffa61c40342e4a7e2a846c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3D4133719452199FDF12EFA4D9C1AEEB7F9AF09380F1000E6E505EB142EB34A789DB50
                                                                                                                                                                                                                                                                                                                                                                                Function 00C42DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00C42E1C
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00C42E4F
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00C42E84
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00C42EB6
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00C42EE0
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00C42EF1
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C42F0B
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: LongWindow$MessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2178440468-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e8f2fbc3488d02ad3c1894c74d64f33585c4f5e2237cb295f1241debe254cf9f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ac2819eed9b3a6e119cdab76613c8ff062d4db27dd0be6ba3465674732e89f10
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e8f2fbc3488d02ad3c1894c74d64f33585c4f5e2237cb295f1241debe254cf9f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E93126346051509FEB20CF58DC86FA937E4FB4A721F990164F9248F2B2CB71AD41EB00
                                                                                                                                                                                                                                                                                                                                                                                Function 00C17726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C17769
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C1778F
                                                                                                                                                                                                                                                                                                                                                                                • SysAllocString.OLEAUT32(00000000), ref: 00C17792
                                                                                                                                                                                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 00C177B0
                                                                                                                                                                                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 00C177B9
                                                                                                                                                                                                                                                                                                                                                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 00C177DE
                                                                                                                                                                                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 00C177EC
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3761583154-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c714f196618087e5e2d94ce1a0cf9136c3586c19c35d83f50a08001c2d80dfdd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 727df8081d579f7ea56fed87806d58385d0c1dc6fb2b7239f650cc3f4d535049
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c714f196618087e5e2d94ce1a0cf9136c3586c19c35d83f50a08001c2d80dfdd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2921D33A604209AFDB01DFA8CC84EFF73ACFB0A360B008165B915CB1A0D670DD81D7A0
                                                                                                                                                                                                                                                                                                                                                                                Function 00C177FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C17842
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C17868
                                                                                                                                                                                                                                                                                                                                                                                • SysAllocString.OLEAUT32(00000000), ref: 00C1786B
                                                                                                                                                                                                                                                                                                                                                                                • SysAllocString.OLEAUT32 ref: 00C1788C
                                                                                                                                                                                                                                                                                                                                                                                • SysFreeString.OLEAUT32 ref: 00C17895
                                                                                                                                                                                                                                                                                                                                                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 00C178AF
                                                                                                                                                                                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 00C178BD
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3761583154-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 7775e8a43113e3c30f2d85a8ca404c300fcce0e64a21466971a891fc516a8d7d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 76dbd48361b07f6f5a9efe56166b992cfe7913a99c4e0dc6efcf655c72952f15
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7775e8a43113e3c30f2d85a8ca404c300fcce0e64a21466971a891fc516a8d7d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 32218135605105AFEB10AFA8DC88EFA77FCFB0A3607108125B915DB2A1D674DD81DB74
                                                                                                                                                                                                                                                                                                                                                                                Function 00C204D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetStdHandle.KERNEL32(0000000C), ref: 00C204F2
                                                                                                                                                                                                                                                                                                                                                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C2052E
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CreateHandlePipe
                                                                                                                                                                                                                                                                                                                                                                                • String ID: nul
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1424370930-2873401336
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 62f9d49257467d04f487e5307ca0e7a404e4d94c995fc5d7b0d05a3b43b20090
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: eb9b7ee3666828e836199bdb1b4f60d1a3d118ae0872a74688514c18fc09b44b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 62f9d49257467d04f487e5307ca0e7a404e4d94c995fc5d7b0d05a3b43b20090
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 372182756003199BDB208F29EC44B9A77F4BF45724F304A2AF8B1D61E2D7B09A40CF64
                                                                                                                                                                                                                                                                                                                                                                                Function 00C205A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetStdHandle.KERNEL32(000000F6), ref: 00C205C6
                                                                                                                                                                                                                                                                                                                                                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C20601
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CreateHandlePipe
                                                                                                                                                                                                                                                                                                                                                                                • String ID: nul
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1424370930-2873401336
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f40c0262b08fa8e6c10919f7874c759484334dc370db4ca2ff2d2166611ad4c0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: cfecf59dd78d090371166fc32970138286e870706d596eba9e7259a0f2e10418
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f40c0262b08fa8e6c10919f7874c759484334dc370db4ca2ff2d2166611ad4c0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C2214F756003259FDB209F69AC44B9A77E4BF95721F300A1AFCB1E76E2D7B09960CB10
                                                                                                                                                                                                                                                                                                                                                                                Function 00C440AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00BB604C
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB600E: GetStockObject.GDI32(00000011), ref: 00BB6060
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BB606A
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00C44112
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00C4411F
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00C4412A
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00C44139
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00C44145
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Msctls_Progress32
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1025951953-3636473452
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 3718a4bfeb54fd9a8279adca96acd9811992b79b59f1828027762270dde360db
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ca3b3842702419fe030012ed8ec3cba908d19174934ef0db6f5ca8e5056bff29
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3718a4bfeb54fd9a8279adca96acd9811992b79b59f1828027762270dde360db
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C91193B114011D7EEF119E64CC85EEB7F9DFF09798F114111FA18A2050C6729C21DBA4
                                                                                                                                                                                                                                                                                                                                                                                Function 00BED7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BED7A3: _free.LIBCMT ref: 00BED7CC
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BED82D
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BED7D1,00000000,00000000,00000000,00000000,?,00BED7F8,00000000,00000007,00000000,?,00BEDBF5,00000000), ref: 00BE29DE
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BE29C8: GetLastError.KERNEL32(00000000,?,00BED7D1,00000000,00000000,00000000,00000000,?,00BED7F8,00000000,00000007,00000000,?,00BEDBF5,00000000,00000000), ref: 00BE29F0
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BED838
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BED843
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BED897
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BED8A2
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BED8AD
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BED8B8
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 4059972c3297005db9ef4f86bc082019e39afb7954e83333b41d8a487007714f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 31113071540B88BAD621BFF2CC47FCB7BDCAF04700F404865B699A6593DBB9B9058760
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C1DA74
                                                                                                                                                                                                                                                                                                                                                                                • LoadStringW.USER32(00000000), ref: 00C1DA7B
                                                                                                                                                                                                                                                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C1DA91
                                                                                                                                                                                                                                                                                                                                                                                • LoadStringW.USER32(00000000), ref: 00C1DA98
                                                                                                                                                                                                                                                                                                                                                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C1DADC
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                • %s (%d) : ==> %s: %s %s, xrefs: 00C1DAB9
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: HandleLoadModuleString$Message
                                                                                                                                                                                                                                                                                                                                                                                • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4072794657-3128320259
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: cd9fb56ccd183fb8abf1364938d291c68f2fc97ef437a23c49633cbea051a53a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 5c61e1ad1b58b22836a0d77a5a2221593466d1d52679af608f5ab969022a829a
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cd9fb56ccd183fb8abf1364938d291c68f2fc97ef437a23c49633cbea051a53a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D80162F65002087FE750DBA09DC9FEB366CEB09701F404491B706E2051EA749E845F74
                                                                                                                                                                                                                                                                                                                                                                                Function 00C2096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • InterlockedExchange.KERNEL32(00E5E0A0,00E5E0A0), ref: 00C2097B
                                                                                                                                                                                                                                                                                                                                                                                • EnterCriticalSection.KERNEL32(00E5E080,00000000), ref: 00C2098D
                                                                                                                                                                                                                                                                                                                                                                                • TerminateThread.KERNEL32(?,000001F6), ref: 00C2099B
                                                                                                                                                                                                                                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,000003E8), ref: 00C209A9
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 00C209B8
                                                                                                                                                                                                                                                                                                                                                                                • InterlockedExchange.KERNEL32(00E5E0A0,000001F6), ref: 00C209C8
                                                                                                                                                                                                                                                                                                                                                                                • LeaveCriticalSection.KERNEL32(00E5E080), ref: 00C209CF
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3495660284-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 010e2e76766b5b1d7b5df08ee681995b4faa1b2940198850f7a2360b43c4c6d8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 9deb6116d5c797c6698d7a47d05a7258570750e95d48a9bb9c8513ec524393d9
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 010e2e76766b5b1d7b5df08ee681995b4faa1b2940198850f7a2360b43c4c6d8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6AF0CD35543A12ABD7916F94EEC9BDA7A25BF06702F501016F102508B1C7B59575CF90
                                                                                                                                                                                                                                                                                                                                                                                Function 00C31C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00C31DC0
                                                                                                                                                                                                                                                                                                                                                                                • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C31DE1
                                                                                                                                                                                                                                                                                                                                                                                • WSAGetLastError.WSOCK32 ref: 00C31DF2
                                                                                                                                                                                                                                                                                                                                                                                • htons.WSOCK32(?,?,?,?,?), ref: 00C31EDB
                                                                                                                                                                                                                                                                                                                                                                                • inet_ntoa.WSOCK32(?), ref: 00C31E8C
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C139E8: _strlen.LIBCMT ref: 00C139F2
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C33224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00C2EC0C), ref: 00C33240
                                                                                                                                                                                                                                                                                                                                                                                • _strlen.LIBCMT ref: 00C31F35
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3203458085-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: a4aff4ec5bd2913893c769cea24dcc53839685727ad448811a08a9bde1fe94fd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 5ed079399ab6f83b74a75a946b09605da11fd7addda761a1cb030cca1ac39c12
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a4aff4ec5bd2913893c769cea24dcc53839685727ad448811a08a9bde1fe94fd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8DB1C130214340AFC324DF64C895F6A7BE5AF89318F58859CF8665B2E2DB71EE41CB91
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetClientRect.USER32(?,?), ref: 00BB5D30
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 00BB5D71
                                                                                                                                                                                                                                                                                                                                                                                • ScreenToClient.USER32(?,?), ref: 00BB5D99
                                                                                                                                                                                                                                                                                                                                                                                • GetClientRect.USER32(?,?), ref: 00BB5ED7
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 00BB5EF8
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Rect$Client$Window$Screen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1296646539-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 750392e45a829af6efae4200b1421bf1272c8fd261bb0ae919d73c5bb99d1c49
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b19120aef9db94e6da08c9ec93d5eaeff525eeba8f0aae2bf8e96e43b990374d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 750392e45a829af6efae4200b1421bf1272c8fd261bb0ae919d73c5bb99d1c49
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 58B15538A00A4ADBDB20CFA8C4807FAB7F1FF48310F14855AE9A9D7250DB74EA51DB55
                                                                                                                                                                                                                                                                                                                                                                                Function 00BE01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • __allrem.LIBCMT ref: 00BE00BA
                                                                                                                                                                                                                                                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BE00D6
                                                                                                                                                                                                                                                                                                                                                                                • __allrem.LIBCMT ref: 00BE00ED
                                                                                                                                                                                                                                                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BE010B
                                                                                                                                                                                                                                                                                                                                                                                • __allrem.LIBCMT ref: 00BE0122
                                                                                                                                                                                                                                                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BE0140
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1992179935-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 160118b9ee8a84aac45e35bdc8f8ddf4ce34e2b074d8795d30aa982607da0962
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 008107716017469BE720AF6ACC81B6BB3E9EF41324F2446BEF511DB381E7B0D9408795
                                                                                                                                                                                                                                                                                                                                                                                Function 00BE61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00BD82D9,00BD82D9,?,?,?,00BE644F,00000001,00000001,8BE85006), ref: 00BE6258
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00BE644F,00000001,00000001,8BE85006,?,?,?), ref: 00BE62DE
                                                                                                                                                                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00BE63D8
                                                                                                                                                                                                                                                                                                                                                                                • __freea.LIBCMT ref: 00BE63E5
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BE3820: RtlAllocateHeap.NTDLL(00000000,?,00C81444,?,00BCFDF5,?,?,00BBA976,00000010,00C81440,00BB13FC,?,00BB13C6,?,00BB1129), ref: 00BE3852
                                                                                                                                                                                                                                                                                                                                                                                • __freea.LIBCMT ref: 00BE63EE
                                                                                                                                                                                                                                                                                                                                                                                • __freea.LIBCMT ref: 00BE6413
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1414292761-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 714e7f55b789803b47fc829dc464ce864725d7e3e8aad1f88eae6506d32e5b42
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 47a22418d947e61771dac801c1f360b83ce1684495dfe88607ff16b202d488fa
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 714e7f55b789803b47fc829dc464ce864725d7e3e8aad1f88eae6506d32e5b42
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C251E372600296ABDB258F6ACC81FBF77E9EB64790F1446A9FD05D7180EB34DC40C664
                                                                                                                                                                                                                                                                                                                                                                                Function 00C3BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C3B6AE,?,?), ref: 00C3C9B5
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C3C998: _wcslen.LIBCMT ref: 00C3C9F1
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C3C998: _wcslen.LIBCMT ref: 00C3CA68
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C3C998: _wcslen.LIBCMT ref: 00C3CA9E
                                                                                                                                                                                                                                                                                                                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C3BCCA
                                                                                                                                                                                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C3BD25
                                                                                                                                                                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 00C3BD6A
                                                                                                                                                                                                                                                                                                                                                                                • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C3BD99
                                                                                                                                                                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C3BDF3
                                                                                                                                                                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 00C3BDFF
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1120388591-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 1465cfa68f12b6cf9f379345381b6313742b8ef3f73f0c3ce5aecb963ad74956
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 2cc13e1d8d6a93d283522122b4e4458d6276f1c721992fc3397f3581849ae029
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1465cfa68f12b6cf9f379345381b6313742b8ef3f73f0c3ce5aecb963ad74956
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B781B130218241EFC714DF24C891E6ABBE5FF84308F14859DF55A4B2A2DB31ED45CB92
                                                                                                                                                                                                                                                                                                                                                                                Function 00C0F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • VariantInit.OLEAUT32(00000035), ref: 00C0F7B9
                                                                                                                                                                                                                                                                                                                                                                                • SysAllocString.OLEAUT32(00000001), ref: 00C0F860
                                                                                                                                                                                                                                                                                                                                                                                • VariantCopy.OLEAUT32(00C0FA64,00000000), ref: 00C0F889
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32(00C0FA64), ref: 00C0F8AD
                                                                                                                                                                                                                                                                                                                                                                                • VariantCopy.OLEAUT32(00C0FA64,00000000), ref: 00C0F8B1
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32(?), ref: 00C0F8BB
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Variant$ClearCopy$AllocInitString
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3859894641-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 9ba467d8789c426546b3ec6f8b07a530e9a2dc07a6343ec0d149cfdefbb64c04
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: dc7955f991a5c4da7eb595dda7812d9652abc61a0698ff1bc696485ef2d72ad1
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9ba467d8789c426546b3ec6f8b07a530e9a2dc07a6343ec0d149cfdefbb64c04
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DC51E735600310BBCF34AB65D895B79B3E8EF45310B24946EE906DF6D1DB708C82D7A6
                                                                                                                                                                                                                                                                                                                                                                                Function 00C2910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB7620: _wcslen.LIBCMT ref: 00BB7625
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB6B57: _wcslen.LIBCMT ref: 00BB6B6A
                                                                                                                                                                                                                                                                                                                                                                                • GetOpenFileNameW.COMDLG32(00000058), ref: 00C294E5
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C29506
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C2952D
                                                                                                                                                                                                                                                                                                                                                                                • GetSaveFileNameW.COMDLG32(00000058), ref: 00C29585
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen$FileName$OpenSave
                                                                                                                                                                                                                                                                                                                                                                                • String ID: X
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 83654149-3081909835
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: df5bdba9fd5eea6eff549801d78f50d368d1b380ad0cb027ec70bfd35c1617c2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: fc7bfac5e7f24e5a8c96209662e245a456cb22391e48edee0c03941e1963839e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: df5bdba9fd5eea6eff549801d78f50d368d1b380ad0cb027ec70bfd35c1617c2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6CE1A1316083109FD724DF24D881AAAB7E4FF85310F1489ADF8999B2A2DB71DD45CB92
                                                                                                                                                                                                                                                                                                                                                                                Function 00BC920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BC9BB2
                                                                                                                                                                                                                                                                                                                                                                                • BeginPaint.USER32(?,?,?), ref: 00BC9241
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 00BC92A5
                                                                                                                                                                                                                                                                                                                                                                                • ScreenToClient.USER32(?,?), ref: 00BC92C2
                                                                                                                                                                                                                                                                                                                                                                                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00BC92D3
                                                                                                                                                                                                                                                                                                                                                                                • EndPaint.USER32(?,?,?,?,?), ref: 00BC9321
                                                                                                                                                                                                                                                                                                                                                                                • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00C071EA
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC9339: BeginPath.GDI32(00000000), ref: 00BC9357
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3050599898-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 67c409740544a4ef90c2bfc87f29002edcd1b299ff3f4d3b0119be3902ad73bb
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e892a5540dc3e3816e3f62f792120e9a9e4cad3c0c12b7f2c041a938b911e5e0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 67c409740544a4ef90c2bfc87f29002edcd1b299ff3f4d3b0119be3902ad73bb
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 18419D71105200AFE710DF24DCC8FAA7BE8FB46320F0406A9F9A4872F1C7319945DB61
                                                                                                                                                                                                                                                                                                                                                                                Function 00C207EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • InterlockedExchange.KERNEL32(?,000001F5), ref: 00C2080C
                                                                                                                                                                                                                                                                                                                                                                                • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00C20847
                                                                                                                                                                                                                                                                                                                                                                                • EnterCriticalSection.KERNEL32(?), ref: 00C20863
                                                                                                                                                                                                                                                                                                                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00C208DC
                                                                                                                                                                                                                                                                                                                                                                                • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00C208F3
                                                                                                                                                                                                                                                                                                                                                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 00C20921
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3368777196-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 9d2cf7cf83d58870e4835658274c528e4d3c6e6d50a1b19cdfcd79fc181dffb1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: bfabfbf2c03b4089db9c8ae7f076b08d45c1553735e14e577fe8866a89603a17
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9d2cf7cf83d58870e4835658274c528e4d3c6e6d50a1b19cdfcd79fc181dffb1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D5416B71900206EBDF14AF54DC85B6EB7B9FF04300F1440A9ED04AA2A7DB70DE65DBA0
                                                                                                                                                                                                                                                                                                                                                                                Function 00C481DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00C0F3AB,00000000,?,?,00000000,?,00C0682C,00000004,00000000,00000000), ref: 00C4824C
                                                                                                                                                                                                                                                                                                                                                                                • EnableWindow.USER32(?,00000000), ref: 00C48272
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00C482D1
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(?,00000004), ref: 00C482E5
                                                                                                                                                                                                                                                                                                                                                                                • EnableWindow.USER32(?,00000001), ref: 00C4830B
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00C4832F
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$Show$Enable$MessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 642888154-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 67c92c3505e4858c0a35c9dd85968e3695810c07c97c303b4a13053c3e2f83eb
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 40e60f7431494ccf4dc3f7a1405149e76928fb5dbd683deb992b78ca5e45f0d4
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 67c92c3505e4858c0a35c9dd85968e3695810c07c97c303b4a13053c3e2f83eb
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8641A334601644EFDF21CF15C899BEC7BE0FB0A714F1852A9E9284B2B2CB71AD49CB54
                                                                                                                                                                                                                                                                                                                                                                                Function 00C14C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • IsWindowVisible.USER32(?), ref: 00C14C95
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C14CB2
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C14CEA
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C14D08
                                                                                                                                                                                                                                                                                                                                                                                • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C14D10
                                                                                                                                                                                                                                                                                                                                                                                • _wcsstr.LIBVCRUNTIME ref: 00C14D1A
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 72514467-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 33f2b2365aa58c2ce849a982de55330eb4f8e739efe8820fe483d1c81012dc6a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 471ec23b432f162bbcddf9e549dfaf971211aaa7453dea457138ff52607e2caf
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 33f2b2365aa58c2ce849a982de55330eb4f8e739efe8820fe483d1c81012dc6a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FC21F975205201BBEB196B39EC49FBF7BDDDF46750F10806DF805CA1A2EA61DD40A6A0
                                                                                                                                                                                                                                                                                                                                                                                Function 00C2581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BB3A97,?,?,00BB2E7F,?,?,?,00000000), ref: 00BB3AC2
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C2587B
                                                                                                                                                                                                                                                                                                                                                                                • CoInitialize.OLE32(00000000), ref: 00C25995
                                                                                                                                                                                                                                                                                                                                                                                • CoCreateInstance.OLE32(00C4FCF8,00000000,00000001,00C4FB68,?), ref: 00C259AE
                                                                                                                                                                                                                                                                                                                                                                                • CoUninitialize.OLE32 ref: 00C259CC
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: .lnk
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3172280962-24824748
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 3ee924e4c21a5e5b5e74607b5cae3183356daca1a59780d7781562795b22e212
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: aab8e7220295cc46bccec101afe67f052fcf9c30627a0bdd12bd13cef96a5537
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3ee924e4c21a5e5b5e74607b5cae3183356daca1a59780d7781562795b22e212
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 68D161746086109FC714EF24D484A6BBBE1FF89710F14889DF89A9B361DB31ED46CB92
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C10FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C10FCA
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C10FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C10FD6
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C10FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C10FE5
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C10FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C10FEC
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C10FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C11002
                                                                                                                                                                                                                                                                                                                                                                                • GetLengthSid.ADVAPI32(?,00000000,00C11335), ref: 00C117AE
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C117BA
                                                                                                                                                                                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000), ref: 00C117C1
                                                                                                                                                                                                                                                                                                                                                                                • CopySid.ADVAPI32(00000000,00000000,?), ref: 00C117DA
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,00C11335), ref: 00C117EE
                                                                                                                                                                                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 00C117F5
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3008561057-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: b02ab9481e9e547fdf1a7269d6f3a85bf06fdae4abc80da99687559786f6ac45
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ac9d1c58861dcd06beb1db92563c06604a3eb6f23bfd9ff8e470ea6e36d766b3
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b02ab9481e9e547fdf1a7269d6f3a85bf06fdae4abc80da99687559786f6ac45
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FA11BE35902205FFDB109FA4CC89BEE7BA9FB43355F184018F95197260C739AA80EBA0
                                                                                                                                                                                                                                                                                                                                                                                Function 00C114CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C114FF
                                                                                                                                                                                                                                                                                                                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 00C11506
                                                                                                                                                                                                                                                                                                                                                                                • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C11515
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000004), ref: 00C11520
                                                                                                                                                                                                                                                                                                                                                                                • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C1154F
                                                                                                                                                                                                                                                                                                                                                                                • DestroyEnvironmentBlock.USERENV(00000000), ref: 00C11563
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1413079979-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 177fbacfc791e9b29ccaf1c8a70245b878761a39d8028ee5e1864ecb9c9bba76
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 41f4cd1166f1ad0acf3b66cb7639e3d7ef955c9b153f0155dde94d7d0e4fe7ec
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 177fbacfc791e9b29ccaf1c8a70245b878761a39d8028ee5e1864ecb9c9bba76
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AB115C76601209EBDF118F94DD49BDE7BA9FF4A714F084014FE15A2060C3798E60EB60
                                                                                                                                                                                                                                                                                                                                                                                Function 00BD3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,00BD3379,00BD2FE5), ref: 00BD3390
                                                                                                                                                                                                                                                                                                                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00BD339E
                                                                                                                                                                                                                                                                                                                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BD33B7
                                                                                                                                                                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000,?,00BD3379,00BD2FE5), ref: 00BD3409
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3852720340-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 5c96db53a4786165188b79bd6723985be3e9a7b7d619cf03748ef17325439075
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f3d1db033e507e886094902fb51dd89ad4023eb42373e7076794c17308b19774
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5c96db53a4786165188b79bd6723985be3e9a7b7d619cf03748ef17325439075
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1001F13260D312AEAB242BB46CC576AAAD4EB05B7932042AFF410803F2FF118D01958A
                                                                                                                                                                                                                                                                                                                                                                                Function 00BE2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,00BE5686,00BF3CD6,?,00000000,?,00BE5B6A,?,?,?,?,?,00BDE6D1,?,00C78A48), ref: 00BE2D78
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BE2DAB
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BE2DD3
                                                                                                                                                                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000,?,?,?,?,00BDE6D1,?,00C78A48,00000010,00BB4F4A,?,?,00000000,00BF3CD6), ref: 00BE2DE0
                                                                                                                                                                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000,?,?,?,?,00BDE6D1,?,00C78A48,00000010,00BB4F4A,?,?,00000000,00BF3CD6), ref: 00BE2DEC
                                                                                                                                                                                                                                                                                                                                                                                • _abort.LIBCMT ref: 00BE2DF2
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3160817290-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: bf72a5dbdd783a08404e12fc89144616eb4cccf7c649d2f99d11ef4e28ddb40f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e22d1264264773f7168906c3e0731ddd462b56852632a621e466643d200021ac
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bf72a5dbdd783a08404e12fc89144616eb4cccf7c649d2f99d11ef4e28ddb40f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 61F0A93590558127C25227376C4AB5E17DDEFC27A5F3585B9FA25D22B2EF2488414160
                                                                                                                                                                                                                                                                                                                                                                                Function 00C48A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BC9693
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC9639: SelectObject.GDI32(?,00000000), ref: 00BC96A2
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC9639: BeginPath.GDI32(?), ref: 00BC96B9
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC9639: SelectObject.GDI32(?,00000000), ref: 00BC96E2
                                                                                                                                                                                                                                                                                                                                                                                • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00C48A4E
                                                                                                                                                                                                                                                                                                                                                                                • LineTo.GDI32(?,00000003,00000000), ref: 00C48A62
                                                                                                                                                                                                                                                                                                                                                                                • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00C48A70
                                                                                                                                                                                                                                                                                                                                                                                • LineTo.GDI32(?,00000000,00000003), ref: 00C48A80
                                                                                                                                                                                                                                                                                                                                                                                • EndPath.GDI32(?), ref: 00C48A90
                                                                                                                                                                                                                                                                                                                                                                                • StrokePath.GDI32(?), ref: 00C48AA0
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 43455801-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 758099572a75cbafcb145cf816801d9e8200054b6e549ee00fde75cdef4d18ae
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: eaaa93c8d435346ab8a8aed9b9f48507411e4dfb4f9a61187441851f750df579
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 758099572a75cbafcb145cf816801d9e8200054b6e549ee00fde75cdef4d18ae
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5A11F376001108FFEB129F90DC88FAE7FACFB09350F048022BA199A1B1C7719E55DBA0
                                                                                                                                                                                                                                                                                                                                                                                Function 00C151FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetDC.USER32(00000000), ref: 00C15218
                                                                                                                                                                                                                                                                                                                                                                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 00C15229
                                                                                                                                                                                                                                                                                                                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C15230
                                                                                                                                                                                                                                                                                                                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 00C15238
                                                                                                                                                                                                                                                                                                                                                                                • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C1524F
                                                                                                                                                                                                                                                                                                                                                                                • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00C15261
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CapsDevice$Release
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1035833867-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e9d03b334cf6c9b85f135c6e063cd60e5f42052abf82b9aa49d5a255453667bf
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 9e60d29d41a2783cadf063ef8a939c0abb392ac1ffe6d245011f01a7afda9ad0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e9d03b334cf6c9b85f135c6e063cd60e5f42052abf82b9aa49d5a255453667bf
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A9018F75A01708BBEB109BE59C89B8EBFB8FB49351F044065FA04A7291D6709901CBA0
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BB1BF4
                                                                                                                                                                                                                                                                                                                                                                                • MapVirtualKeyW.USER32(00000010,00000000), ref: 00BB1BFC
                                                                                                                                                                                                                                                                                                                                                                                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BB1C07
                                                                                                                                                                                                                                                                                                                                                                                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BB1C12
                                                                                                                                                                                                                                                                                                                                                                                • MapVirtualKeyW.USER32(00000011,00000000), ref: 00BB1C1A
                                                                                                                                                                                                                                                                                                                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BB1C22
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Virtual
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4278518827-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ad0836e0f6c6897b50b3e5d435299eea8dc23ff755ba4a34934fdc1007d60142
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 81b60477b24c562aae8da97ca80123a0f671a05fcda219f92ba2dc3b7c53e4f7
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ad0836e0f6c6897b50b3e5d435299eea8dc23ff755ba4a34934fdc1007d60142
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E60167B0902B5ABDE3008F6A8C85B56FFA8FF19354F00411BA15C4BA42C7F5A864CFE5
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C1EB30
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C1EB46
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowThreadProcessId.USER32(?,?), ref: 00C1EB55
                                                                                                                                                                                                                                                                                                                                                                                • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C1EB64
                                                                                                                                                                                                                                                                                                                                                                                • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C1EB6E
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C1EB75
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 839392675-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f2445ff1d90395bb641b4bf57dea7547f7ea51f7dcbcf5ca7af029a96083b7b0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 0a2b455b670bd6bc62cf9860edc878534c51c7f6c82ff78e4d2ff4ad9385e00a
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f2445ff1d90395bb641b4bf57dea7547f7ea51f7dcbcf5ca7af029a96083b7b0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8FF03A7A642158BBE7615B629C4EFEF3A7CFFCBB11F004158FA11E10A1D7A05A01C6B5
                                                                                                                                                                                                                                                                                                                                                                                Function 00C07439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetClientRect.USER32(?), ref: 00C07452
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001328,00000000,?), ref: 00C07469
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowDC.USER32(?), ref: 00C07475
                                                                                                                                                                                                                                                                                                                                                                                • GetPixel.GDI32(00000000,?,?), ref: 00C07484
                                                                                                                                                                                                                                                                                                                                                                                • ReleaseDC.USER32(?,00000000), ref: 00C07496
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColor.USER32(00000005), ref: 00C074B0
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 272304278-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: eedbdde88d89bf9151c9ef3ad986aeb08cfd2321df7ca642c8213dbfc2d4bc75
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 3b76ede428de45978d60ac66408c8917005df4e7e687f039b596ced660a249fe
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: eedbdde88d89bf9151c9ef3ad986aeb08cfd2321df7ca642c8213dbfc2d4bc75
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BB018635801205EFEB905FA4DC48BEE7BB5FB05321F214164F926A20B1CB312E41EF10
                                                                                                                                                                                                                                                                                                                                                                                Function 00C11874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C1187F
                                                                                                                                                                                                                                                                                                                                                                                • UnloadUserProfile.USERENV(?,?), ref: 00C1188B
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 00C11894
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 00C1189C
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00C118A5
                                                                                                                                                                                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 00C118AC
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 146765662-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 7a015997882e2be27e05dfa95010298a50a8ffd9ea31adcf466fa9f19e03c7a4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: a7b5c35642d5d3cad30dde7f2003a5404dfde3c61c44987ce0f8b6544df4132d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7a015997882e2be27e05dfa95010298a50a8ffd9ea31adcf466fa9f19e03c7a4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 55E0E53A606101BBDB415FA1ED4CB4EBF39FF4AB22B108220F22581070CB329430DF50
                                                                                                                                                                                                                                                                                                                                                                                Function 00C3AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • ShellExecuteExW.SHELL32(0000003C), ref: 00C3AEA3
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB7620: _wcslen.LIBCMT ref: 00BB7625
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessId.KERNEL32(00000000), ref: 00C3AF38
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00C3AF67
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: <$@
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 146682121-1426351568
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 3d2ffe177d687bce8f2894b3e7509e6ad25b7363b44d2524d690e2e777002f7c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 120a40723ba756ea993e425885e1cfde3107dd29ea278232f7e77e3b90a04a00
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3d2ffe177d687bce8f2894b3e7509e6ad25b7363b44d2524d690e2e777002f7c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 62719C70A10615DFCB14DF94C495AAEBBF0FF08310F048499E856AB3A2CB74EE55CB91
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C17206
                                                                                                                                                                                                                                                                                                                                                                                • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C1723C
                                                                                                                                                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C1724D
                                                                                                                                                                                                                                                                                                                                                                                • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C172CF
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                                                                                                                                                                                                                                                                                • String ID: DllGetClassObject
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 753597075-1075368562
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 7c5b08c206c586122f33ff3fa9349eaaea9d665cc195102a8efff159eed19aa6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: eeebd60e9f2e8ab0e0a8aba4b9acfeab9aebd6099ddb9745fc385094b5718d6d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7c5b08c206c586122f33ff3fa9349eaaea9d665cc195102a8efff159eed19aa6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A6415E71604204EFDB15CF54C884BDA7BB9EF4A310F1481A9BD05DF20AD7B1DA86EBA0
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1C27D Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 114windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C1C306
                                                                                                                                                                                                                                                                                                                                                                                • DeleteMenu.USER32(?,00000007,00000000), ref: 00C1C34C
                                                                                                                                                                                                                                                                                                                                                                                • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00C81990,8U), ref: 00C1C395
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Menu$Delete$InfoItem
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 0$8U
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 135850232-2961431296
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: dcd30f539e58c814d883a4c5237954daac2c8dc7959b6bbe10e9e3aaeec2839b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 5feeb9ff55c3a95e25821f753841d6d10314b044c1c2abb402e4b241e29c6a49
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dcd30f539e58c814d883a4c5237954daac2c8dc7959b6bbe10e9e3aaeec2839b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E941C0312443019FD720DF25D8C4B9ABBE4AF86320F00865EF9B5972A1D730E944EB56
                                                                                                                                                                                                                                                                                                                                                                                Function 00C11DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C13CCA
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C11E66
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C11E79
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000189,?,00000000), ref: 00C11EA9
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB6B57: _wcslen.LIBCMT ref: 00BB6B6A
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$_wcslen$ClassName
                                                                                                                                                                                                                                                                                                                                                                                • String ID: ComboBox$ListBox
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2081771294-1403004172
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c61f1589977dd34b16ce311fedab8fb7dcf30102cff8df536338405711ac7a31
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: a0337b2ea9a1f07c61a7e90caa3578f7ccaae17a6bff37fb3440f56f9d0e2c26
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c61f1589977dd34b16ce311fedab8fb7dcf30102cff8df536338405711ac7a31
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 46214971A00104BFDB14ABA0CC8ADFFB7B8EF42350B148169FD25A31E1DB784E45A620
                                                                                                                                                                                                                                                                                                                                                                                Function 00C42F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00C42F8D
                                                                                                                                                                                                                                                                                                                                                                                • LoadLibraryW.KERNEL32(?), ref: 00C42F94
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00C42FA9
                                                                                                                                                                                                                                                                                                                                                                                • DestroyWindow.USER32(?), ref: 00C42FB1
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: SysAnimate32
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3529120543-1011021900
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 4db712dac5ac46ff1687e40958cd7359deb96b61162f5b3286a8a8fa6d037373
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f9c5ffd8dda4629f3e23f4aa36e8a782e820c80ccf526dead3a3add58564ac03
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4db712dac5ac46ff1687e40958cd7359deb96b61162f5b3286a8a8fa6d037373
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 71219A71200229ABFB104FA4DC82FBB3BBDFB59364F904228F960D21A0D771DC959760
                                                                                                                                                                                                                                                                                                                                                                                Function 00BD4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00BD4D1E,00BE28E9,?,00BD4CBE,00BE28E9,00C788B8,0000000C,00BD4E15,00BE28E9,00000002), ref: 00BD4D8D
                                                                                                                                                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BD4DA0
                                                                                                                                                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,00BD4D1E,00BE28E9,?,00BD4CBE,00BE28E9,00C788B8,0000000C,00BD4E15,00BE28E9,00000002,00000000), ref: 00BD4DC3
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                                                                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: b2cab51f9a9fb8cbab5ab7cd7760de5444c71cb78f6e96977d9630c733ac712d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 56309ab1c82c3ad1e61e1917406636ac5699883b396df4deb3487cd33456f854
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b2cab51f9a9fb8cbab5ab7cd7760de5444c71cb78f6e96977d9630c733ac712d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 40F04F39A41208BBDB519F90DC89BAEBFF5EF48752F0000A9F809A2260DB715D80CA94
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BB4EDD,?,00C81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BB4E9C
                                                                                                                                                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BB4EAE
                                                                                                                                                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,00BB4EDD,?,00C81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BB4EC0
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 145871493-3689287502
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ccd8c1354e3a7455d1e9ce4ec41c8c26cbde28593d6cf621c1fc12b7870c5ccf
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 7f6ad32f26a2db6c296ade3e561a2ad005860c0693073eefd6088874455c7d5c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ccd8c1354e3a7455d1e9ce4ec41c8c26cbde28593d6cf621c1fc12b7870c5ccf
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7EE0CD3AA035225BD27117296C58BBF6594FF82F627050165FC04D2122DBE0CD0185A1
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BF3CDE,?,00C81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BB4E62
                                                                                                                                                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BB4E74
                                                                                                                                                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,00BF3CDE,?,00C81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BB4E87
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 145871493-1355242751
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ddf22df2ee8e06db9afce101920e682fb4bea986d09e662c9ea71f9f31f30f8f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 898e7672a6b94149fdccd51922d24b4501f6778334dcce6a1be80e4cdf5c8f37
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ddf22df2ee8e06db9afce101920e682fb4bea986d09e662c9ea71f9f31f30f8f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F4D0C23A503A215746621B246C08FDF2B58FF82B113050160B804A2121CFA0CD02C5E0
                                                                                                                                                                                                                                                                                                                                                                                Function 00C22947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C22C05
                                                                                                                                                                                                                                                                                                                                                                                • DeleteFileW.KERNEL32(?), ref: 00C22C87
                                                                                                                                                                                                                                                                                                                                                                                • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C22C9D
                                                                                                                                                                                                                                                                                                                                                                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C22CAE
                                                                                                                                                                                                                                                                                                                                                                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C22CC0
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: File$Delete$Copy
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3226157194-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ef9ba870a60d6076e5c9214616cdef1ac72396b4516d12f92d4733bcd40aa192
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 4e185cd12a2cfc46259196b4b322721650f758f4c27a1db2ac06e6437a7b63b6
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ef9ba870a60d6076e5c9214616cdef1ac72396b4516d12f92d4733bcd40aa192
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EEB16E72E00129ABDF21EFA4DC85EEEB7BDEF09350F1040A6F509E6151EA709A448F61
                                                                                                                                                                                                                                                                                                                                                                                Function 00C3A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentProcessId.KERNEL32 ref: 00C3A427
                                                                                                                                                                                                                                                                                                                                                                                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C3A435
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C3A468
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 00C3A63D
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3488606520-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 504ab8e88eb05d7a949552d5a07cda3ed84e2b886d51ec1c8079bd96ba048fef
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 7e6d032ca6c710207be86cce3c37506042d461eba041767e712071d0ac7bb7b7
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 504ab8e88eb05d7a949552d5a07cda3ed84e2b886d51ec1c8079bd96ba048fef
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 02A190716147009FD720DF24C886F2AB7E5AF84714F14889DF5AA9B392DBB0ED41CB92
                                                                                                                                                                                                                                                                                                                                                                                Function 00BEBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00C53700), ref: 00BEBB91
                                                                                                                                                                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00C8121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00BEBC09
                                                                                                                                                                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00C81270,000000FF,?,0000003F,00000000,?), ref: 00BEBC36
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BEBB7F
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BED7D1,00000000,00000000,00000000,00000000,?,00BED7F8,00000000,00000007,00000000,?,00BEDBF5,00000000), ref: 00BE29DE
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BE29C8: GetLastError.KERNEL32(00000000,?,00BED7D1,00000000,00000000,00000000,00000000,?,00BED7F8,00000000,00000007,00000000,?,00BEDBF5,00000000,00000000), ref: 00BE29F0
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BEBD4B
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1286116820-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 1b8b826db0579aa2bde00c78d72baaed2a88e3920b7bb68c6f885a4bcb69ff9b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: c9a3eee5d2271a2edb2d09e2541eaa0a0b3b5548760004589bb58cb26164f050
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1b8b826db0579aa2bde00c78d72baaed2a88e3920b7bb68c6f885a4bcb69ff9b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9351F771904249AFCB14EF669C81EAFB7FCEF40320B1442EAE554D72A1EB309E418B54
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C1CF22,?), ref: 00C1DDFD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C1CF22,?), ref: 00C1DE16
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1E199: GetFileAttributesW.KERNEL32(?,00C1CF95), ref: 00C1E19A
                                                                                                                                                                                                                                                                                                                                                                                • lstrcmpiW.KERNEL32(?,?), ref: 00C1E473
                                                                                                                                                                                                                                                                                                                                                                                • MoveFileW.KERNEL32(?,?), ref: 00C1E4AC
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C1E5EB
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C1E603
                                                                                                                                                                                                                                                                                                                                                                                • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00C1E650
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3183298772-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f9b50575625b2256415a5d1d7f49bacb882cfe4278022666bf54832ed1cd1ef9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 072228316284d73a343975e6ef9345e46b2201140275d5a7f20d64840eb88fef
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f9b50575625b2256415a5d1d7f49bacb882cfe4278022666bf54832ed1cd1ef9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BB5172B24083459BC724EB90DC819DFB3ECAF85340F10491EFA99D3191EF74A6C89766
                                                                                                                                                                                                                                                                                                                                                                                Function 00C3B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C3B6AE,?,?), ref: 00C3C9B5
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C3C998: _wcslen.LIBCMT ref: 00C3C9F1
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C3C998: _wcslen.LIBCMT ref: 00C3CA68
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C3C998: _wcslen.LIBCMT ref: 00C3CA9E
                                                                                                                                                                                                                                                                                                                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C3BAA5
                                                                                                                                                                                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C3BB00
                                                                                                                                                                                                                                                                                                                                                                                • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C3BB63
                                                                                                                                                                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?), ref: 00C3BBA6
                                                                                                                                                                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 00C3BBB3
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 826366716-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: adb506376acc144d6c744382a0954552917174a89b8ba9f92b411567ea8fdd42
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: bd4e3fbeaba801c94869ee186d1a6f358a6b05a30935f99fa2fa8682e68faefd
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: adb506376acc144d6c744382a0954552917174a89b8ba9f92b411567ea8fdd42
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9761A031218241AFD314DF14C8D1E6ABBE5FF84308F14859DF59A8B2A2DB31ED45DB92
                                                                                                                                                                                                                                                                                                                                                                                Function 00C18BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • VariantInit.OLEAUT32(?), ref: 00C18BCD
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32 ref: 00C18C3E
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32 ref: 00C18C9D
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32(?), ref: 00C18D10
                                                                                                                                                                                                                                                                                                                                                                                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C18D3B
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Variant$Clear$ChangeInitType
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4136290138-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e59bf211b3da27f7e66501f180bbdb9046c18bcb83f033ae086e2027956a8c97
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 47bfb1b0a5641b8bae085cc33b3379fd0f1c5a8a848dd69e30d459251cc9bb6d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e59bf211b3da27f7e66501f180bbdb9046c18bcb83f033ae086e2027956a8c97
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 635169B5A0021AEFCB10DF68D894AAAB7F8FF8A310B158559F915DB350E730E951CF90
                                                                                                                                                                                                                                                                                                                                                                                Function 00C28AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C28BAE
                                                                                                                                                                                                                                                                                                                                                                                • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00C28BDA
                                                                                                                                                                                                                                                                                                                                                                                • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C28C32
                                                                                                                                                                                                                                                                                                                                                                                • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C28C57
                                                                                                                                                                                                                                                                                                                                                                                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C28C5F
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: PrivateProfile$SectionWrite$String
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2832842796-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: b09a29b3ce0e86beedd4676c5f3d8f5a20f129e6c7a4ba8c3d738ac5e64d4845
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: df2db722d2d262da5713098a544d2988891681905175e8441f7d9459cabb2a88
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b09a29b3ce0e86beedd4676c5f3d8f5a20f129e6c7a4ba8c3d738ac5e64d4845
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FA516B35A002159FCB11DF64C881EADBBF5FF49314F088098E849AB362CB71ED45CBA0
                                                                                                                                                                                                                                                                                                                                                                                Function 00C38EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00C38F40
                                                                                                                                                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00C38FD0
                                                                                                                                                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00C38FEC
                                                                                                                                                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00C39032
                                                                                                                                                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00C39052
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BCF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00C21043,?,761DE610), ref: 00BCF6E6
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BCF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00C0FA64,00000000,00000000,?,?,00C21043,?,761DE610,?,00C0FA64), ref: 00BCF70D
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 666041331-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 143ec90e8d4d364eaff7cd4e35ba9b76d58472f5e6b0ba318515786ace15fdc9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 82f8e84dcfe66a9ddd03660dcb609cfbf49d202f6e2340436bf1ccb9cca9bb20
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 143ec90e8d4d364eaff7cd4e35ba9b76d58472f5e6b0ba318515786ace15fdc9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1F514835615205DFCB14DF68C4949ADBBF1FF49314F0480A8E81A9B362DB71EE85CB90
                                                                                                                                                                                                                                                                                                                                                                                Function 00C46B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00C46C33
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowLongW.USER32(?,000000EC,?), ref: 00C46C4A
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00C46C73
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00C2AB79,00000000,00000000), ref: 00C46C98
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00C46CC7
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$Long$MessageSendShow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3688381893-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 277b2a3ed0441b5adea94ebd05b3273d402cde0ce84784011c2d0e7a8920d98f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 94fa45b8b0d7618e654f7a4dfcf92baf7866b193039aa11bcbddbc42a12e00a6
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 277b2a3ed0441b5adea94ebd05b3273d402cde0ce84784011c2d0e7a8920d98f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0E41B235A04104AFDB24CF69CCD8FA97BA5FB0B360F150268FCA5A72E4C771AE41DA51
                                                                                                                                                                                                                                                                                                                                                                                Function 00BC912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetCursorPos.USER32(?), ref: 00BC9141
                                                                                                                                                                                                                                                                                                                                                                                • ScreenToClient.USER32(00000000,?), ref: 00BC915E
                                                                                                                                                                                                                                                                                                                                                                                • GetAsyncKeyState.USER32(00000001), ref: 00BC9183
                                                                                                                                                                                                                                                                                                                                                                                • GetAsyncKeyState.USER32(00000002), ref: 00BC919D
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: AsyncState$ClientCursorScreen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4210589936-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e1c8af059dc767bb0df118c79b9b479645b626d6fd166fa39523f2f198c8c160
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 0b8427d331f61917756cf31fa209e5759786bd8eaf50d68f1cd5df61ddff2f86
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e1c8af059dc767bb0df118c79b9b479645b626d6fd166fa39523f2f198c8c160
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 02416231A0851AFBDF199F64C889BEEB7B4FB05320F244359E429A32E0C7346950DB91
                                                                                                                                                                                                                                                                                                                                                                                Function 00C23874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetInputState.USER32 ref: 00C238CB
                                                                                                                                                                                                                                                                                                                                                                                • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00C23922
                                                                                                                                                                                                                                                                                                                                                                                • TranslateMessage.USER32(?), ref: 00C2394B
                                                                                                                                                                                                                                                                                                                                                                                • DispatchMessageW.USER32(?), ref: 00C23955
                                                                                                                                                                                                                                                                                                                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C23966
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2256411358-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 4c9ab98c9103b20adaee5513a7b229288c352e64b90de2745269e976020ff872
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b56172e1759c1459367039b8377e6186698e5e9b216868d0be98ba5faed780e6
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4c9ab98c9103b20adaee5513a7b229288c352e64b90de2745269e976020ff872
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B331C8705043D19EEB25DB35A849BBA37E8AB06314F08056DE872C69E0D3B89BC5DB15
                                                                                                                                                                                                                                                                                                                                                                                Function 00C2CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00C2C21E,00000000), ref: 00C2CF38
                                                                                                                                                                                                                                                                                                                                                                                • InternetReadFile.WININET(?,00000000,?,?), ref: 00C2CF6F
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,00000000,?,?,?,00C2C21E,00000000), ref: 00C2CFB4
                                                                                                                                                                                                                                                                                                                                                                                • SetEvent.KERNEL32(?,?,00000000,?,?,?,00C2C21E,00000000), ref: 00C2CFC8
                                                                                                                                                                                                                                                                                                                                                                                • SetEvent.KERNEL32(?,?,00000000,?,?,?,00C2C21E,00000000), ref: 00C2CFF2
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3191363074-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: cc5a76d7baf69ee474d4404acaa604b2648e922ce629387695d468dd6c1e2521
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: da799fdc397e7ba9c304382b74243e4b60f6b7e8cd5be3788c666e600bb6d390
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cc5a76d7baf69ee474d4404acaa604b2648e922ce629387695d468dd6c1e2521
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 21314C71500615EFDB20DFE5E9C4AAFBBF9FB15350B10446EF526D2550DB30AE409B60
                                                                                                                                                                                                                                                                                                                                                                                Function 00C11901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 00C11915
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(00000001,00000201,00000001), ref: 00C119C1
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(00000000,?,?,?), ref: 00C119C9
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(00000001,00000202,00000000), ref: 00C119DA
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00C119E2
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessagePostSleep$RectWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3382505437-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 7c3d37044747e121fe4bb441dddd890d2b57426b760aebb463c29f9b199d27d3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 19bfe03ff7132998264c233a4fc2c6380621288228e2b454861321dedde86b7a
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7c3d37044747e121fe4bb441dddd890d2b57426b760aebb463c29f9b199d27d3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FC319E75900219EFCB00CFA8C999BDE3BB5EB06315F148225FE31A72D1C7749A94DB90
                                                                                                                                                                                                                                                                                                                                                                                Function 00C45706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00C45745
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001074,?,00000001), ref: 00C4579D
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C457AF
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C457BA
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C45816
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 763830540-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: bca17691b914d964afd480744917658dcfb351566e3fd44a479bbd50bf27d4e1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b317178427f3f11d71ce341f984e61578bc7ed076dfc031f2f4120502f022f91
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bca17691b914d964afd480744917658dcfb351566e3fd44a479bbd50bf27d4e1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5B21B675904618DBDB209F61CC85AEDB7B8FF15324F108266F929EB1C1D7708A85CF50
                                                                                                                                                                                                                                                                                                                                                                                Function 00C30930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • IsWindow.USER32(00000000), ref: 00C30951
                                                                                                                                                                                                                                                                                                                                                                                • GetForegroundWindow.USER32 ref: 00C30968
                                                                                                                                                                                                                                                                                                                                                                                • GetDC.USER32(00000000), ref: 00C309A4
                                                                                                                                                                                                                                                                                                                                                                                • GetPixel.GDI32(00000000,?,00000003), ref: 00C309B0
                                                                                                                                                                                                                                                                                                                                                                                • ReleaseDC.USER32(00000000,00000003), ref: 00C309E8
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$ForegroundPixelRelease
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4156661090-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 5a49fe0ea99cff5dbbbad3aa69515460c93404e713d6ae91185915f32e683e6d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 5e7a2267303650296533b0117c240645e4d66011189d1deaa64e6ae082b7442d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5a49fe0ea99cff5dbbbad3aa69515460c93404e713d6ae91185915f32e683e6d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DC219F3A600214AFD714EF65D898BAEBBE9FF45710F148068F84A97762CB70AD04CB50
                                                                                                                                                                                                                                                                                                                                                                                Function 00BECDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 00BECDC6
                                                                                                                                                                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BECDE9
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BE3820: RtlAllocateHeap.NTDLL(00000000,?,00C81444,?,00BCFDF5,?,?,00BBA976,00000010,00C81440,00BB13FC,?,00BB13C6,?,00BB1129), ref: 00BE3852
                                                                                                                                                                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00BECE0F
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BECE22
                                                                                                                                                                                                                                                                                                                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BECE31
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 336800556-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c54a5586564d86d57004592e42b03388baff5a7b7b5f7a520f4c9333bfc8eb38
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1ef69bf7a2f434a0a04d6cee33df0833d1f3e3b851f1ffb72a381c7fc196f7a7
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c54a5586564d86d57004592e42b03388baff5a7b7b5f7a520f4c9333bfc8eb38
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B501D4766022957F23211ABB6CCCE7F6DEDEEC7BA131501A9FD05D7211EB619D0281B0
                                                                                                                                                                                                                                                                                                                                                                                Function 00BC9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BC9693
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(?,00000000), ref: 00BC96A2
                                                                                                                                                                                                                                                                                                                                                                                • BeginPath.GDI32(?), ref: 00BC96B9
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(?,00000000), ref: 00BC96E2
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ObjectSelect$BeginCreatePath
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3225163088-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ec620fc9abdba244d1ca1c7bf9c14316e586ff4a4e7931e4e730fc97351ae1b2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b2fe6768cccc035fdb4153cd3b5151dd2ff53ae689a030326bfdaf8f31399ff1
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ec620fc9abdba244d1ca1c7bf9c14316e586ff4a4e7931e4e730fc97351ae1b2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0A215030802305EBEB119F64EC58BAD7BFCFB51755F14426AF810A61F0D3709992CB98
                                                                                                                                                                                                                                                                                                                                                                                Function 00C15711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _memcmp
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2931989736-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 98012af643da1d539f2c69ecd03b2df4a637c7b9dd88a734eafc57f5e955399e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 8678b33475ed51ea41242cf0b7806a7ed779fcec69aabad888f8ec7be53b55c3
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 98012af643da1d539f2c69ecd03b2df4a637c7b9dd88a734eafc57f5e955399e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CF01F5A5651609FBE21855159D83FFBB38CEBA23A4F004035FD049A2C2F720EE9192E4
                                                                                                                                                                                                                                                                                                                                                                                Function 00BE2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,00BDF2DE,00BE3863,00C81444,?,00BCFDF5,?,?,00BBA976,00000010,00C81440,00BB13FC,?,00BB13C6), ref: 00BE2DFD
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BE2E32
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BE2E59
                                                                                                                                                                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000,00BB1129), ref: 00BE2E66
                                                                                                                                                                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000,00BB1129), ref: 00BE2E6F
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorLast$_free
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3170660625-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: b61e0b989f4cf824cd7d9bedd7f309a4e4ed12932aafc7c4be648bda85034c42
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: a9cf5618e66276590d3d7cf8c72ce2674e4083bde5be09093af2adf693d1175d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b61e0b989f4cf824cd7d9bedd7f309a4e4ed12932aafc7c4be648bda85034c42
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F701F43660669067C6122B776CCAF6F26DDEBC27A5B3141B8F425A32A3EB248C014120
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C0FF41,80070057,?,?,?,00C1035E), ref: 00C1002B
                                                                                                                                                                                                                                                                                                                                                                                • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C0FF41,80070057,?,?), ref: 00C10046
                                                                                                                                                                                                                                                                                                                                                                                • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C0FF41,80070057,?,?), ref: 00C10054
                                                                                                                                                                                                                                                                                                                                                                                • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C0FF41,80070057,?), ref: 00C10064
                                                                                                                                                                                                                                                                                                                                                                                • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C0FF41,80070057,?,?), ref: 00C10070
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3897988419-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e39de49507b3a85d2f0a187eba51ce4f12a3c697a79d86fdb63d34d2cf60f938
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b270c64450c6f55f5806ba2a27d8bb5a65ff15d48b26794c628ac658263e9713
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e39de49507b3a85d2f0a187eba51ce4f12a3c697a79d86fdb63d34d2cf60f938
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 51018476601204BFDB504F65DC44BEE7BADEB49752F244114F905D2220E7B5DEC09760
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • QueryPerformanceCounter.KERNEL32(?), ref: 00C1E997
                                                                                                                                                                                                                                                                                                                                                                                • QueryPerformanceFrequency.KERNEL32(?), ref: 00C1E9A5
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(00000000), ref: 00C1E9AD
                                                                                                                                                                                                                                                                                                                                                                                • QueryPerformanceCounter.KERNEL32(?), ref: 00C1E9B7
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32 ref: 00C1E9F3
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2833360925-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: a76a19058438561155bf33b77a2617c8678542f06b33405acf70d89fc7c90836
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 071452f8a3a3bb108fbb5c4fc16ef72753f5f17926d27401b344a14a8d9a8c4e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a76a19058438561155bf33b77a2617c8678542f06b33405acf70d89fc7c90836
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 31015B35C0252DDBCF40ABE5D889BEDBB78BB0A701F000586E912F2260DB3096959761
                                                                                                                                                                                                                                                                                                                                                                                Function 00C110F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C11114
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,00000000,00000000,?,?,00C10B9B,?,?,?), ref: 00C11120
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C10B9B,?,?,?), ref: 00C1112F
                                                                                                                                                                                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C10B9B,?,?,?), ref: 00C11136
                                                                                                                                                                                                                                                                                                                                                                                • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C1114D
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 842720411-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: eadc1598150e1a218485b2ea1b919a8ca0f3caf64a4f0900de093c5a653ffe83
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ea80d1f53ad96b5193aacc11d932619131266916e00cc55d149911de01c22980
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: eadc1598150e1a218485b2ea1b919a8ca0f3caf64a4f0900de093c5a653ffe83
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6D016979602205BFDB514FA5DC89BAE3B6EFF8B3A4B240418FA41C3360DA31DD409A60
                                                                                                                                                                                                                                                                                                                                                                                Function 00C10FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C10FCA
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C10FD6
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C10FE5
                                                                                                                                                                                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C10FEC
                                                                                                                                                                                                                                                                                                                                                                                • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C11002
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 44706859-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: a4368d8ae7dfe92f75c9d1d63e1123bc39e51144da90ca4a3d28fbc055679aa0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 48e3a6b0cb853418f4e632dea90f3e1f791def507a9784503e0890d8b5c24486
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a4368d8ae7dfe92f75c9d1d63e1123bc39e51144da90ca4a3d28fbc055679aa0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 89F04939602301AFDB214FA49C89F9A3BADFF8A7A2F144414FA45C6261CA74DC908A60
                                                                                                                                                                                                                                                                                                                                                                                Function 00C11014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C1102A
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C11036
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C11045
                                                                                                                                                                                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C1104C
                                                                                                                                                                                                                                                                                                                                                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C11062
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 44706859-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ac14b4bfcf6fb1345d677ba403e2059fc2c9f2cdd82d98da9fd679091d7749b4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: baced1b4745af1af8b3ce68efd8872c2b00226320457ca378a9aa262edc6fccf
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ac14b4bfcf6fb1345d677ba403e2059fc2c9f2cdd82d98da9fd679091d7749b4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 14F06D39602301EBDB215FA5EC89F9A3BADFF8B761F140414FE45C7260CA74D991CA60
                                                                                                                                                                                                                                                                                                                                                                                Function 00C2030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,00C2017D,?,00C232FC,?,00000001,00BF2592,?), ref: 00C20324
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,00C2017D,?,00C232FC,?,00000001,00BF2592,?), ref: 00C20331
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,00C2017D,?,00C232FC,?,00000001,00BF2592,?), ref: 00C2033E
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,00C2017D,?,00C232FC,?,00000001,00BF2592,?), ref: 00C2034B
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,00C2017D,?,00C232FC,?,00000001,00BF2592,?), ref: 00C20358
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,00C2017D,?,00C232FC,?,00000001,00BF2592,?), ref: 00C20365
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CloseHandle
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2962429428-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f6dc0ad8f1148967a329948b02f2b5ea9bb7244805e1be4c18c41fd962d20eb3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: dcf0580ffd1d813f91f686de102f8775da93a0c8a9c54b21d3fef49f6eaa42d2
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f6dc0ad8f1148967a329948b02f2b5ea9bb7244805e1be4c18c41fd962d20eb3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1401A272801B259FC7309F66E880416FBF5BF503153258A3FD1A652932C3B1AA54CF80
                                                                                                                                                                                                                                                                                                                                                                                Function 00BED73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BED752
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BED7D1,00000000,00000000,00000000,00000000,?,00BED7F8,00000000,00000007,00000000,?,00BEDBF5,00000000), ref: 00BE29DE
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BE29C8: GetLastError.KERNEL32(00000000,?,00BED7D1,00000000,00000000,00000000,00000000,?,00BED7F8,00000000,00000007,00000000,?,00BEDBF5,00000000,00000000), ref: 00BE29F0
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BED764
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BED776
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BED788
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BED79A
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 3edd93d844d922d7e39f876977f73d274d6a7194c4cbdd70c12051c62cf3c1fa
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: c526c60e561e9cd7cce40fd8898032fe2277cb786323a328542a81ee6c4a0eeb
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3edd93d844d922d7e39f876977f73d274d6a7194c4cbdd70c12051c62cf3c1fa
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 41F06232500289ABC721EB66F9C2E1A77DDFB04310B951899F058E7642CB78FC808660
                                                                                                                                                                                                                                                                                                                                                                                Function 00C15C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 00C15C58
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 00C15C6F
                                                                                                                                                                                                                                                                                                                                                                                • MessageBeep.USER32(00000000), ref: 00C15C87
                                                                                                                                                                                                                                                                                                                                                                                • KillTimer.USER32(?,0000040A), ref: 00C15CA3
                                                                                                                                                                                                                                                                                                                                                                                • EndDialog.USER32(?,00000001), ref: 00C15CBD
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3741023627-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c26ca153f8931fead4bd2eda6087fa55a17dd1d4305bc3f60e3a20212c4a43ca
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: cc6d89243dd7f55f092c19568b8e63f9fb4494b9dad870dd323606ee8feb9865
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c26ca153f8931fead4bd2eda6087fa55a17dd1d4305bc3f60e3a20212c4a43ca
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 93018134501B04EBEB205F10DD9EFEA77B8BB46B05F010559B693A10F1DBF4AA949A90
                                                                                                                                                                                                                                                                                                                                                                                Function 00BE22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BE22BE
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BED7D1,00000000,00000000,00000000,00000000,?,00BED7F8,00000000,00000007,00000000,?,00BEDBF5,00000000), ref: 00BE29DE
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BE29C8: GetLastError.KERNEL32(00000000,?,00BED7D1,00000000,00000000,00000000,00000000,?,00BED7F8,00000000,00000007,00000000,?,00BEDBF5,00000000,00000000), ref: 00BE29F0
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BE22D0
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BE22E3
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BE22F4
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BE2305
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 98590cf3704eb205d03ea5d284818367780ebec6f94db8c0654f327a34b1a635
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ba6eaebb3d1c59de752baeb29db261f5856a4471801d7703264178a7658cd99e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 98590cf3704eb205d03ea5d284818367780ebec6f94db8c0654f327a34b1a635
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3AF054754001558B8722AF95BC42B0C3BECF718760B15555AF514DA3B2C73C04529FE9
                                                                                                                                                                                                                                                                                                                                                                                Function 00BC95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • EndPath.GDI32(?), ref: 00BC95D4
                                                                                                                                                                                                                                                                                                                                                                                • StrokeAndFillPath.GDI32(?,?,00C071F7,00000000,?,?,?), ref: 00BC95F0
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(?,00000000), ref: 00BC9603
                                                                                                                                                                                                                                                                                                                                                                                • DeleteObject.GDI32 ref: 00BC9616
                                                                                                                                                                                                                                                                                                                                                                                • StrokePath.GDI32(?), ref: 00BC9631
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2625713937-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 2011e164de1fbd9e30d84c293d5cb84b709275d1b1320725a22863a176d6a4db
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 799ea648effcbd359d8b1f89c1c81316dea1931412a0f1c21c30f9ab43c38d51
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2011e164de1fbd9e30d84c293d5cb84b709275d1b1320725a22863a176d6a4db
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 85F0EC35006704EBEB665F65ED5CB6C3BE9FB12322F088268F865550F0D7348996DF28
                                                                                                                                                                                                                                                                                                                                                                                Function 00BE0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: __freea$_free
                                                                                                                                                                                                                                                                                                                                                                                • String ID: a/p$am/pm
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3432400110-3206640213
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f5f79bb7c7d63f9d8d5d3bff949ec2c5f81a43927070c94842727f943229934d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: d390c44fd1d8141ab17eca1a7d858cdd6e0bd445f24d1c83e71eae9efcd8067e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f5f79bb7c7d63f9d8d5d3bff949ec2c5f81a43927070c94842727f943229934d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 99D1F371900286EACB249F6EC895BFEB7F0EF05700F344AD9E601AB651D3759D80CBA5
                                                                                                                                                                                                                                                                                                                                                                                Function 00C12716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C121D0,?,?,00000034,00000800,?,00000034), ref: 00C1B42D
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C12760
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C121FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00C1B3F8
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00C1B355
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C12194,00000034,?,?,00001004,00000000,00000000), ref: 00C1B365
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C12194,00000034,?,?,00001004,00000000,00000000), ref: 00C1B37B
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C127CD
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C1281A
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4150878124-2766056989
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ce3f4608d7be6370a95eb030e25300d34a62a8d4add262772035defcb69034f4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f6fac14ffa117f28bb7b5c373f6dc45b9074b4fdd4ab9d25bd92c8632dc777ae
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ce3f4608d7be6370a95eb030e25300d34a62a8d4add262772035defcb69034f4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2C413D76900218AFDB10DFA4CD81BEEBBB8AF06300F008095FA55B7191DB706E85DBA0
                                                                                                                                                                                                                                                                                                                                                                                Function 00BE172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\P0HV8mjHS1.exe,00000104), ref: 00BE1769
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BE1834
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 00BE183E
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _free$FileModuleName
                                                                                                                                                                                                                                                                                                                                                                                • String ID: C:\Users\user\Desktop\P0HV8mjHS1.exe
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2506810119-1732935625
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: eeef2152cc5b48171a1f2bfeec132068e146ba1d6d0d9ba043c29b2ebaa85c12
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1e1308cf0c8b874833d94fe63faded4dcec2515b4d83851142421bac6755aba1
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: eeef2152cc5b48171a1f2bfeec132068e146ba1d6d0d9ba043c29b2ebaa85c12
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BF3180B5A00298ABDB21DB9A9C81E9EBBFCEB85710B2445E6F80597211D7708E41CB90
                                                                                                                                                                                                                                                                                                                                                                                Function 00C44416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00C4CC08,00000000,?,?,?,?), ref: 00C444AA
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32 ref: 00C444C7
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C444D7
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$Long
                                                                                                                                                                                                                                                                                                                                                                                • String ID: SysTreeView32
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 847901565-1698111956
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ee8c912ad724970d2ec960b469ce72e688a4f8a01d00d8818d0f4bbeaa764b29
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 8aacdb0ece486a9d3ccf9fea5d18d545aef37265e9ed75e5b7aae79b5435ea9e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ee8c912ad724970d2ec960b469ce72e688a4f8a01d00d8818d0f4bbeaa764b29
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1D316B32210605ABDF249E78DC85BEA7BA9FB09334F209725F979921E0D770AD509B50
                                                                                                                                                                                                                                                                                                                                                                                Function 00C3304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C3335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00C33077,?,?), ref: 00C33378
                                                                                                                                                                                                                                                                                                                                                                                • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C3307A
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C3309B
                                                                                                                                                                                                                                                                                                                                                                                • htons.WSOCK32(00000000,?,?,00000000), ref: 00C33106
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 255.255.255.255
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 946324512-2422070025
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: b3c6f572a08794eaa15ebb4b3754e1556ba6c9943676aadfa5cc6685a340a3cb
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 4bb3ea1112c7d7c7a167caf65d9533b6121c433143e29fa9369e4d32913c4f7b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b3c6f572a08794eaa15ebb4b3754e1556ba6c9943676aadfa5cc6685a340a3cb
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3531D5396142819FCB14DF69C585EA977F0EF54318F248099E9258F3A2DB71DF41C760
                                                                                                                                                                                                                                                                                                                                                                                Function 00C44653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00C44705
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00C44713
                                                                                                                                                                                                                                                                                                                                                                                • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C4471A
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$DestroyWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: msctls_updown32
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4014797782-2298589950
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: a1c04d590583386408a146246c96707b970601292ad980272370229a45a79dea
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ab1e8960f0aeba5c85cc638fa79862ed65e29c4c0543bba77e64974c01467806
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a1c04d590583386408a146246c96707b970601292ad980272370229a45a79dea
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C4214AB5600209AFDB14DF64DCC1EBA37EDFB5A3A4B150059FA149B361CB70ED12CA60
                                                                                                                                                                                                                                                                                                                                                                                Function 00C195AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 176396367-2734436370
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: be61b58f0af158f35442caebbd6ab9e2dd950c998b7f9ffb2a6edac8dc88d7d9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 695ea044d6d327bafd0c6df1a65e143508800cb5afa600b6ccab8b85a0611a34
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: be61b58f0af158f35442caebbd6ab9e2dd950c998b7f9ffb2a6edac8dc88d7d9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CD213B32104511A7D331AB259C22FF7B3D9EF93300F10407AF95997141EBB1AE82E2A5
                                                                                                                                                                                                                                                                                                                                                                                Function 00C437B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00C43840
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00C43850
                                                                                                                                                                                                                                                                                                                                                                                • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00C43876
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$MoveWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Listbox
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3315199576-2633736733
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 779cfbd94588a6e2a942b5c4ffc04a4bc525e5a97573a84dccd4c44ec7ae3db1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 97a0e3fab7a41bb8b2c614bcecb1ad4094751290e37f4ede153531708d5f1dbd
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 779cfbd94588a6e2a942b5c4ffc04a4bc525e5a97573a84dccd4c44ec7ae3db1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A221BE72600218BBEB218F55CC85FBB3B6EFFC9760F118125F9549B190C671DD5287A0
                                                                                                                                                                                                                                                                                                                                                                                Function 00C249F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SetErrorMode.KERNEL32(00000001), ref: 00C24A08
                                                                                                                                                                                                                                                                                                                                                                                • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C24A5C
                                                                                                                                                                                                                                                                                                                                                                                • SetErrorMode.KERNEL32(00000000,?,?,00C4CC08), ref: 00C24AD0
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorMode$InformationVolume
                                                                                                                                                                                                                                                                                                                                                                                • String ID: %lu
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2507767853-685833217
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f79b629866164b0200903a3b8b11069d8512e39428e433ea44b088772db48df0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 141a7034996c63ad7ff3bc7c0884ec27599e4e414b5f5d268e346ba4abd5d9c3
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f79b629866164b0200903a3b8b11069d8512e39428e433ea44b088772db48df0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A4316F75A00219AFDB10DF54C885EAE7BF8EF09308F1480A9F909DB262D771EE45CB61
                                                                                                                                                                                                                                                                                                                                                                                Function 00C441EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00C4424F
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00C44264
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00C44271
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: msctls_trackbar32
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3850602802-1010561917
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 702e58df82401108e4ce61251338075300e802164cd6313ba3b93d7f20b0084f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 29f647b8a11e0d6ba780c0867c4a2b06e728d2ca9ab1db248d2d654aa70332af
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 702e58df82401108e4ce61251338075300e802164cd6313ba3b93d7f20b0084f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C211C271240248BEEF205F69CC46FAB3BACFF95B64F114624FA55E60A0D6B1DC519B20
                                                                                                                                                                                                                                                                                                                                                                                Function 00C12F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB6B57: _wcslen.LIBCMT ref: 00BB6B6A
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C12DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C12DC5
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C12DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C12DD6
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C12DA7: GetCurrentThreadId.KERNEL32 ref: 00C12DDD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C12DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C12DE4
                                                                                                                                                                                                                                                                                                                                                                                • GetFocus.USER32 ref: 00C12F78
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C12DEE: GetParent.USER32(00000000), ref: 00C12DF9
                                                                                                                                                                                                                                                                                                                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 00C12FC3
                                                                                                                                                                                                                                                                                                                                                                                • EnumChildWindows.USER32(?,00C1303B), ref: 00C12FEB
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: %s%d
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1272988791-1110647743
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 2974421280ea6539540ca021b4edc6987555863937e0eb9102690839c2ab3845
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1ae4f8a6c8267d2e8d84982741ae3aacc3b6a78eb243b1b5e20f80adf7cf29ad
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2974421280ea6539540ca021b4edc6987555863937e0eb9102690839c2ab3845
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AC11A2756002056BDF547F60DCD6FED37AAAF8A304F048075B9099B252DE709A85EB70
                                                                                                                                                                                                                                                                                                                                                                                Function 00C45882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00C458C1
                                                                                                                                                                                                                                                                                                                                                                                • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00C458EE
                                                                                                                                                                                                                                                                                                                                                                                • DrawMenuBar.USER32(?), ref: 00C458FD
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Menu$InfoItem$Draw
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 0
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3227129158-4108050209
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d5c6837654fff828e1e56dc6932e5befd74bab8ae2ca68510ea0e155eb81aca2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 03fe3326cc7a9606da3a9cd00873b646c426a4fb0e85bef5c303ea9d1fb746e8
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d5c6837654fff828e1e56dc6932e5befd74bab8ae2ca68510ea0e155eb81aca2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1A018C31501219EFDB619F21DC44FAEBBB5FF46760F1080E9E849DA162DB308A85EF21
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ae8f2d53fe8266403301b372aa743dd587f651d1f42a15ff582d7722828babbc
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 3c06b98cd670a9dfa4a37fc7a6930d9687d5e79bce7e536bb09d69d7c9ed8e1c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ae8f2d53fe8266403301b372aa743dd587f651d1f42a15ff582d7722828babbc
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B1C15C75A0020AEFDB14CF94C898AAEB7B5FF49304F208598E515EB261D771DEC2DB90
                                                                                                                                                                                                                                                                                                                                                                                Function 00C3342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Variant$ClearInitInitializeUninitialize
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1998397398-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 6d9f2e33614aefa0312eac9a62a0d551b00cbb6160fcd4bfb6ebef9be78fdeb3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f900d8dc78b09fe37094031c545544abef8004f6e79963a05a93fa6c642e2a51
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6d9f2e33614aefa0312eac9a62a0d551b00cbb6160fcd4bfb6ebef9be78fdeb3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ACA15A756143009FC710DF28C596A6AB7E5FF89714F04889DF98A9B362DB70EE01CB92
                                                                                                                                                                                                                                                                                                                                                                                Function 00C10436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00C4FC08,?), ref: 00C105F0
                                                                                                                                                                                                                                                                                                                                                                                • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00C4FC08,?), ref: 00C10608
                                                                                                                                                                                                                                                                                                                                                                                • CLSIDFromProgID.OLE32(?,?,00000000,00C4CC40,000000FF,?,00000000,00000800,00000000,?,00C4FC08,?), ref: 00C1062D
                                                                                                                                                                                                                                                                                                                                                                                • _memcmp.LIBVCRUNTIME ref: 00C1064E
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: FromProg$FreeTask_memcmp
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 314563124-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 628874c3a3f78744cf5b08e8e7247ff289ae45d860732f0322627718a52827b6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e7234eafa748daa5f55eeaa172c44a4ba54146959c85292227262f8b92d3d344
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 628874c3a3f78744cf5b08e8e7247ff289ae45d860732f0322627718a52827b6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 47812C71A00109EFCB04DF94C984EEEB7B9FF89315F204598F516AB250DB71AE86CB60
                                                                                                                                                                                                                                                                                                                                                                                Function 00C3A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 00C3A6AC
                                                                                                                                                                                                                                                                                                                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 00C3A6BA
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD
                                                                                                                                                                                                                                                                                                                                                                                • Process32NextW.KERNEL32(00000000,?), ref: 00C3A79C
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00C3A7AB
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BCCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00BF3303,?), ref: 00BCCE8A
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1991900642-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 63637eb19a1b75f033e300885fa29c4faa12c674b82862193fba68f7598da725
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b486493452528e7d982cad8ce5677bad1804d6dd687c935153d2bbcec3273d7e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 63637eb19a1b75f033e300885fa29c4faa12c674b82862193fba68f7598da725
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E9514AB1508300AFD714EF24C886AAFBBE8FF89754F00495DF599972A1EB70D904CB92
                                                                                                                                                                                                                                                                                                                                                                                Function 00BF1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _free
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 269201875-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 04758bf326b32667b84acedb68ffca8ecf2c9c082c1e51e6d19520f894c95865
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 5797217f661df1df44c03453c521a9f70e4da810ea37ed0901b90af10d1f16b4
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 04758bf326b32667b84acedb68ffca8ecf2c9c082c1e51e6d19520f894c95865
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6F417C31600109EBDB216BBD9C857BE7AE4EF81330F144EE6FA19D3392E73448095A71
                                                                                                                                                                                                                                                                                                                                                                                Function 00C46278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 00C462E2
                                                                                                                                                                                                                                                                                                                                                                                • ScreenToClient.USER32(?,?), ref: 00C46315
                                                                                                                                                                                                                                                                                                                                                                                • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00C46382
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$ClientMoveRectScreen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3880355969-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: bbf09b34edfa5498c334762f47c766adf082d7cb2ccae95610937ec398af8d1e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 4864084cb020c516820c88f86e2d739ff6b3f4186e36f8b9dc3fe92bbaaa4854
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bbf09b34edfa5498c334762f47c766adf082d7cb2ccae95610937ec398af8d1e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CC516F74A00249EFCF24DF54D880AAE7BB5FF46360F108259F925972A4D730EE41CB51
                                                                                                                                                                                                                                                                                                                                                                                Function 00C31AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • socket.WSOCK32(00000002,00000002,00000011), ref: 00C31AFD
                                                                                                                                                                                                                                                                                                                                                                                • WSAGetLastError.WSOCK32 ref: 00C31B0B
                                                                                                                                                                                                                                                                                                                                                                                • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C31B8A
                                                                                                                                                                                                                                                                                                                                                                                • WSAGetLastError.WSOCK32 ref: 00C31B94
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorLast$socket
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1881357543-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 9b99b2e13f1743b5b9b054a01360649a437a51963e37da8ee12617ca2527138f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 8c725d68f0037ea23e326db49bf07657e197af763b9238d267d281d7ae567d9c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9b99b2e13f1743b5b9b054a01360649a437a51963e37da8ee12617ca2527138f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4D418174640200AFE720AF24C886F7A77E5AB44718F58849CF91A9F7D2D7B2DD41CB90
                                                                                                                                                                                                                                                                                                                                                                                Function 00BEB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 777a327d275b53b69d1e653c412e29f1d461317e1df12bcf37f8af003e9f9d66
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 5d82ce39d085abe7b0819769beb54e2a5c1f3bcab37359539826643ecc913ffb
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 777a327d275b53b69d1e653c412e29f1d461317e1df12bcf37f8af003e9f9d66
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C041CFB5A00284AFD7249F79C841BABBBF9EB88710F1045AEF5469B282D771A9058780
                                                                                                                                                                                                                                                                                                                                                                                Function 00C256D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C25783
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,00000000), ref: 00C257A9
                                                                                                                                                                                                                                                                                                                                                                                • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C257CE
                                                                                                                                                                                                                                                                                                                                                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C257FA
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3321077145-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 3a572a9e500053468d9122a33612a10051b87cdfca2da9f80a385b5226e1a59a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f8507c7aee62853b58b8867e6eee7ede32d0959da4001e070552eecc1110c1e1
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3a572a9e500053468d9122a33612a10051b87cdfca2da9f80a385b5226e1a59a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A6413E39610610DFCB21DF15C455A6EBBF2EF99720B18C488E85A9B762CBB4FD40CB91
                                                                                                                                                                                                                                                                                                                                                                                Function 00BED8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00BD6D71,00000000,00000000,00BD82D9,?,00BD82D9,?,00000001,00BD6D71,8BE85006,00000001,00BD82D9,00BD82D9), ref: 00BED910
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BED999
                                                                                                                                                                                                                                                                                                                                                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00BED9AB
                                                                                                                                                                                                                                                                                                                                                                                • __freea.LIBCMT ref: 00BED9B4
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BE3820: RtlAllocateHeap.NTDLL(00000000,?,00C81444,?,00BCFDF5,?,?,00BBA976,00000010,00C81440,00BB13FC,?,00BB13C6,?,00BB1129), ref: 00BE3852
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2652629310-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: b3d25a8f1480ff2f2fcbb4e5abe16be07f2cd7f8cf9ecf7be9175c71fbba7372
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ea5224b4e24b8dc5dae953db82a835bed3f14c676391358ed84acad147595412
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b3d25a8f1480ff2f2fcbb4e5abe16be07f2cd7f8cf9ecf7be9175c71fbba7372
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1431EF72A0024AABDF24DF66DC85EAE7BE5EB41310F0502A9FC04D7261EB75CD50CBA0
                                                                                                                                                                                                                                                                                                                                                                                Function 00C452C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001024,00000000,?), ref: 00C45352
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00C45375
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C45382
                                                                                                                                                                                                                                                                                                                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C453A8
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: LongWindow$InvalidateMessageRectSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3340791633-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 7ec3fd39bbcce5c1d1550620afb7ccbf1856786ffeeba3a289cca1ec8697fc00
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ffea444e27711bc94ed67c782df3c1ec4ae5188b9cca2869b0cc53c1fb410904
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7ec3fd39bbcce5c1d1550620afb7ccbf1856786ffeeba3a289cca1ec8697fc00
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2531A035A56A08EFEB309F14CC46BE877A5BB05390F584141FA21962F2C7B4AE80EB41
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 00C1ABF1
                                                                                                                                                                                                                                                                                                                                                                                • SetKeyboardState.USER32(00000080,?,00008000), ref: 00C1AC0D
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(00000000,00000101,00000000), ref: 00C1AC74
                                                                                                                                                                                                                                                                                                                                                                                • SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 00C1ACC6
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 432972143-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 690fe6306d43458c5df08ef96a6c5997b4e6dc7e0baf1b4fd14efd90269accc5
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b942868738ef0861be28a7372b644ef0f1457b46f9ce4aeab0f944bf1f140b9d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 690fe6306d43458c5df08ef96a6c5997b4e6dc7e0baf1b4fd14efd90269accc5
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 31310870A017186FEF35CB658C247FE7BA5AB87310F04421AE495922E1D3768AC5A7D2
                                                                                                                                                                                                                                                                                                                                                                                Function 00C47674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • ClientToScreen.USER32(?,?), ref: 00C4769A
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 00C47710
                                                                                                                                                                                                                                                                                                                                                                                • PtInRect.USER32(?,?,00C48B89), ref: 00C47720
                                                                                                                                                                                                                                                                                                                                                                                • MessageBeep.USER32(00000000), ref: 00C4778C
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1352109105-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 1aa512c544e7ca07fb05c6cacbb67e9c26f15e3d2484ca1d95d6100aacdd9068
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 3a550f83879fd79155fdbaf54307a4fcb603fae62381b2fd971a86e89d5bb311
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1aa512c544e7ca07fb05c6cacbb67e9c26f15e3d2484ca1d95d6100aacdd9068
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 55416D38605214DFCB12CF58C894FAD77F9FF49324F5942A9E8249B261C731AA42CF90
                                                                                                                                                                                                                                                                                                                                                                                Function 00C416DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetForegroundWindow.USER32 ref: 00C416EB
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C13A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C13A57
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C13A3D: GetCurrentThreadId.KERNEL32 ref: 00C13A5E
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C13A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C125B3), ref: 00C13A65
                                                                                                                                                                                                                                                                                                                                                                                • GetCaretPos.USER32(?), ref: 00C416FF
                                                                                                                                                                                                                                                                                                                                                                                • ClientToScreen.USER32(00000000,?), ref: 00C4174C
                                                                                                                                                                                                                                                                                                                                                                                • GetForegroundWindow.USER32 ref: 00C41752
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2759813231-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 4a74f1cea1aac2ad2d50fe2ab7b739042f0a5af4a9cb3770533288508775c510
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 826fe34a39b402e5027cfff91a709264e0d3a9d9f3825d041ae313cd7bcfdb92
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4a74f1cea1aac2ad2d50fe2ab7b739042f0a5af4a9cb3770533288508775c510
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0C311D75D00149AFCB00EFA9C8819FEBBF9FF49304B5480AAE455E7211DA759E45CBA0
                                                                                                                                                                                                                                                                                                                                                                                Function 00C48FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BC9BB2
                                                                                                                                                                                                                                                                                                                                                                                • GetCursorPos.USER32(?), ref: 00C49001
                                                                                                                                                                                                                                                                                                                                                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C07711,?,?,?,?,?), ref: 00C49016
                                                                                                                                                                                                                                                                                                                                                                                • GetCursorPos.USER32(?), ref: 00C4905E
                                                                                                                                                                                                                                                                                                                                                                                • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C07711,?,?,?), ref: 00C49094
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2864067406-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 1e1623b8042478d729b7eadfdc0a839539c7d409abaa4374ed39e9457ad08421
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 3311cc0ca7c75c3a5d23b32dd0f49190b337c86aab5f3fc23fd2d15ed1612bfc
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1e1623b8042478d729b7eadfdc0a839539c7d409abaa4374ed39e9457ad08421
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 56218D35601028AFDB25CF94C899FEF7BB9FB4A360F044059F91547261C7319A51EB60
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetFileAttributesW.KERNEL32(?,00C4CB68), ref: 00C1D2FB
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00C1D30A
                                                                                                                                                                                                                                                                                                                                                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 00C1D319
                                                                                                                                                                                                                                                                                                                                                                                • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00C4CB68), ref: 00C1D376
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2267087916-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: b0cc7e7cd83355c5515af69b74c90dcf1d3e9991cfc83d72ef4af7b2ec035a0c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 3c0b212aca56f58cb883eef6228b7453cfcbae8257863298323413dac8b14e2e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b0cc7e7cd83355c5515af69b74c90dcf1d3e9991cfc83d72ef4af7b2ec035a0c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9F217C745092019F8710DF28C8819AE77E4BE56364F504A59F4AAC32B1DB70DA86DB93
                                                                                                                                                                                                                                                                                                                                                                                Function 00C11571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C11014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C1102A
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C11014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C11036
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C11014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C11045
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C11014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C1104C
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C11014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C11062
                                                                                                                                                                                                                                                                                                                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C115BE
                                                                                                                                                                                                                                                                                                                                                                                • _memcmp.LIBVCRUNTIME ref: 00C115E1
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C11617
                                                                                                                                                                                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 00C1161E
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1592001646-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 4e86651bf21dce9c8754e16afcbd1d3f8aa606685b6ea776ce5aa1091f29ee46
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 23600c5d282648e18678346b467a0b7058af30505ad5775f7add16d67d15766f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4e86651bf21dce9c8754e16afcbd1d3f8aa606685b6ea776ce5aa1091f29ee46
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3B21BD31E01108EFDF00DFA4C944BEEB7B9EF86354F084459E911AB251E735AA85EBA0
                                                                                                                                                                                                                                                                                                                                                                                Function 00C42782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000EC), ref: 00C4280A
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C42824
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C42832
                                                                                                                                                                                                                                                                                                                                                                                • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00C42840
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$Long$AttributesLayered
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2169480361-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e94ba5ee6239af504856794dfc9ed1a8d9d293fefc82f3f699e7ff2e5987503b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 797155a82c6e1f5938b5e1238285cbc89155c3c769026c14ff209cdf2650af8a
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e94ba5ee6239af504856794dfc9ed1a8d9d293fefc82f3f699e7ff2e5987503b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ED21D335205111AFD714DB24C886FAE7BA9FF46324F148158F4268B6E2CBB1FD82CB90
                                                                                                                                                                                                                                                                                                                                                                                Function 00C178F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C18D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00C1790A,?,000000FF,?,00C18754,00000000,?,0000001C,?,?), ref: 00C18D8C
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C18D7D: lstrcpyW.KERNEL32(00000000,?,?,00C1790A,?,000000FF,?,00C18754,00000000,?,0000001C,?,?,00000000), ref: 00C18DB2
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C18D7D: lstrcmpiW.KERNEL32(00000000,?,00C1790A,?,000000FF,?,00C18754,00000000,?,0000001C,?,?), ref: 00C18DE3
                                                                                                                                                                                                                                                                                                                                                                                • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00C18754,00000000,?,0000001C,?,?,00000000), ref: 00C17923
                                                                                                                                                                                                                                                                                                                                                                                • lstrcpyW.KERNEL32(00000000,?,?,00C18754,00000000,?,0000001C,?,?,00000000), ref: 00C17949
                                                                                                                                                                                                                                                                                                                                                                                • lstrcmpiW.KERNEL32(00000002,cdecl,?,00C18754,00000000,?,0000001C,?,?,00000000), ref: 00C17984
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: lstrcmpilstrcpylstrlen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: cdecl
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4031866154-3896280584
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 1263b8c6d00ed29060abf5d85c3c9ca1f53be3a61d99ff9342833b761d405b9b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 2520c8b99a3185fbac72b42508851a494ce16d1547d6bde5b8d2cc6cd94a8df5
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1263b8c6d00ed29060abf5d85c3c9ca1f53be3a61d99ff9342833b761d405b9b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0C11063A200302ABCF15AF34D844EBA77B5FF86350B10412AF906C73A4EB319945E791
                                                                                                                                                                                                                                                                                                                                                                                Function 00C47CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00C47D0B
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00C47D2A
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00C47D42
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C2B7AD,00000000), ref: 00C47D6B
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BC9BB2
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$Long
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 847901565-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 1de0bc628a01fdfd5241c83e177908d9ab2dc2a3df445e9abc35e170ac9fc8ce
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 3227b693be66986a2588e483a0d04abeb72c64ec15b4cb8c8d91deace1c3b9aa
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1de0bc628a01fdfd5241c83e177908d9ab2dc2a3df445e9abc35e170ac9fc8ce
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A0119D35A15615AFCB109F28CC44BAA3BA9BF46360B258724F839D72F0E7349A51DB50
                                                                                                                                                                                                                                                                                                                                                                                Function 00C45660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001060,?,00000004), ref: 00C456BB
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C456CD
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C456D8
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C45816
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 455545452-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 64075dcae4fe18e28b8141aab9afb1356a885514f566a48f30b7802eb35b312c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 49c6274b0542d538cab833e97f68feacc10cad970e3eafa1f127625e5c54f23f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 64075dcae4fe18e28b8141aab9afb1356a885514f566a48f30b7802eb35b312c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E211D375A00608ABDF209F62CC85AEE77ACFF11764B104066F925D6182EB70CA85CB64
                                                                                                                                                                                                                                                                                                                                                                                Function 00BC990F Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SetTextColor.GDI32(?,?), ref: 00BC98D6
                                                                                                                                                                                                                                                                                                                                                                                • SetBkMode.GDI32(?,00000001), ref: 00BC98E9
                                                                                                                                                                                                                                                                                                                                                                                • GetStockObject.GDI32(00000005), ref: 00BC98F1
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000EB), ref: 00BC9952
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ColorLongModeObjectStockTextWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2960364272-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ca787dc7bbec775aa9477db5187ae7e220693d519302c51c7fd341f62987a487
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 42262fe47507a267bb505d81ad8aa9ad931c4d3dfc385fa67091a331980f5d5c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ca787dc7bbec775aa9477db5187ae7e220693d519302c51c7fd341f62987a487
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6D1136361462508BEB128F24ECA8FEE3BA4EF13371B0801DDE9428B1B2C7714850CBA1
                                                                                                                                                                                                                                                                                                                                                                                Function 00C11A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 00C11A47
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C11A59
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C11A6F
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C11A8A
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3850602802-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 2f23d878648c150d5768ec9a8d7414511b9c7c6f13645f41f79a09dd1e0cb32f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1795bcc9e150bce1fa90dde09513af8d6a8f0c0334e296fb8b32b89d472df487
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2f23d878648c150d5768ec9a8d7414511b9c7c6f13645f41f79a09dd1e0cb32f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5011273A901219FFEB109BA5C985FEDBB78EF09750F240091EA00B7290D6716E50EB94
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00C1E1FD
                                                                                                                                                                                                                                                                                                                                                                                • MessageBoxW.USER32(?,?,?,?), ref: 00C1E230
                                                                                                                                                                                                                                                                                                                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C1E246
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C1E24D
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2880819207-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 72489bebe97ccaa47f5ad03bec6b8b50a4ec66177dd8b40734516a29f3c8b435
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: cd4581cd30bcbca6912763c7095a6697077a9c0e5836caf2a57fb7a2f3bb34e0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 72489bebe97ccaa47f5ad03bec6b8b50a4ec66177dd8b40734516a29f3c8b435
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0411D676A04258BBC7019FA8DC49BDE7FECAB47320F144265FD24E32A1D6B0DE4587A0
                                                                                                                                                                                                                                                                                                                                                                                Function 00BDD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CreateThread.KERNEL32(00000000,?,00BDCFF9,00000000,00000004,00000000), ref: 00BDD218
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00BDD224
                                                                                                                                                                                                                                                                                                                                                                                • __dosmaperr.LIBCMT ref: 00BDD22B
                                                                                                                                                                                                                                                                                                                                                                                • ResumeThread.KERNEL32(00000000), ref: 00BDD249
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 173952441-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 55c9e1fb2155e64a7ae21882788acd39558d000bdec2c14ab240040e97fc2722
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ef8ead90989bd256c258e6316dfe0e1fcd090395ea351372788c9fa36d8908e0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 55c9e1fb2155e64a7ae21882788acd39558d000bdec2c14ab240040e97fc2722
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A901D6364051057BC7115BA5DC45BAEFAEDEF82330F10029AF965922E0EB71C905C6A0
                                                                                                                                                                                                                                                                                                                                                                                Function 00BB600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00BB604C
                                                                                                                                                                                                                                                                                                                                                                                • GetStockObject.GDI32(00000011), ref: 00BB6060
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 00BB606A
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CreateMessageObjectSendStockWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3970641297-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 013e1191fdcf5605fe519a9bfa29f88d91145603e3de3a5f1a0ee9ca094a520c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e9e1dd4b22db7074f2e5c3e0addcbeba76d4dbb595a8215e9cc2a123227607b5
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 013e1191fdcf5605fe519a9bfa29f88d91145603e3de3a5f1a0ee9ca094a520c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4D11AD72102508BFEF165FA58C84FFEBBA9FF093A4F440245FA1452020D7769C60DBA0
                                                                                                                                                                                                                                                                                                                                                                                Function 00BD3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • ___BuildCatchObject.LIBVCRUNTIME ref: 00BD3B56
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BD3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00BD3AD2
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BD3AA3: ___AdjustPointer.LIBCMT ref: 00BD3AED
                                                                                                                                                                                                                                                                                                                                                                                • _UnwindNestedFrames.LIBCMT ref: 00BD3B6B
                                                                                                                                                                                                                                                                                                                                                                                • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00BD3B7C
                                                                                                                                                                                                                                                                                                                                                                                • CallCatchBlock.LIBVCRUNTIME ref: 00BD3BA4
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 737400349-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 14481bc0a712ebb0cb669fbc658258c7ebdd7b941de54d6f7555af8a24532a89
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2D012D32100148BBDF115F95CC46EEBBFE9EF48B54F04405AFE4856222E732D961DBA1
                                                                                                                                                                                                                                                                                                                                                                                Function 00BE3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00BB13C6,00000000,00000000,?,00BE301A,00BB13C6,00000000,00000000,00000000,?,00BE328B,00000006,FlsSetValue), ref: 00BE30A5
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,00BE301A,00BB13C6,00000000,00000000,00000000,?,00BE328B,00000006,FlsSetValue,00C52290,FlsSetValue,00000000,00000364,?,00BE2E46), ref: 00BE30B1
                                                                                                                                                                                                                                                                                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00BE301A,00BB13C6,00000000,00000000,00000000,?,00BE328B,00000006,FlsSetValue,00C52290,FlsSetValue,00000000), ref: 00BE30BF
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3177248105-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 584e151de048b6a164aa859b7ef8d91c52bf75881db54e4d0349caf36413a39e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 526872b1b6c0a6153bc66a470cbbdb46fa4835ab3d8d1908903f0cbd4c7e0ea0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 584e151de048b6a164aa859b7ef8d91c52bf75881db54e4d0349caf36413a39e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E901F736702262ABCB318BBA9C8CB6B7BD8EF46F61B240660F905E3151C721D901C6E0
                                                                                                                                                                                                                                                                                                                                                                                Function 00C17464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00C1747F
                                                                                                                                                                                                                                                                                                                                                                                • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C17497
                                                                                                                                                                                                                                                                                                                                                                                • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C174AC
                                                                                                                                                                                                                                                                                                                                                                                • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C174CA
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Type$Register$FileLoadModuleNameUser
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1352324309-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 0b50171608fd7be827485b7751b67241efb5b7dadfddcb78f8ca12d92284e167
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b06855bab276f2620d0fbe727a5879c0c4e42b27e33d6dc975aeca40a0a1cdae
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0b50171608fd7be827485b7751b67241efb5b7dadfddcb78f8ca12d92284e167
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6511A1B52063109BE7208F14DD48BE67BFCFB01B00F108669A666D6161D770E984EF50
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C1ACD3,?,00008000), ref: 00C1B0C4
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C1ACD3,?,00008000), ref: 00C1B0E9
                                                                                                                                                                                                                                                                                                                                                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C1ACD3,?,00008000), ref: 00C1B0F3
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C1ACD3,?,00008000), ref: 00C1B126
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CounterPerformanceQuerySleep
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2875609808-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: b74e22e7264102926c119bd10b762c151a31522ba085816bc455492caaa3a1e3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 056717b1f08fcbec0a8855e800ed855f3c16cecf58f8b95109f4e55e2496707b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b74e22e7264102926c119bd10b762c151a31522ba085816bc455492caaa3a1e3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FA115B71C0292CE7CF00AFE5E998BEEBF78FF4A711F214085D951B2191CB309A909B51
                                                                                                                                                                                                                                                                                                                                                                                Function 00C12DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C12DC5
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C12DD6
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00C12DDD
                                                                                                                                                                                                                                                                                                                                                                                • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C12DE4
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2710830443-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 5df89ff3f3b1fbe9f05f322f2b4036aeebf3891f9f3c8ad6dc4de68b17e99157
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 3582d0afa4813370857c5f042ef956f4f491289b8101392596e98c9542115965
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5df89ff3f3b1fbe9f05f322f2b4036aeebf3891f9f3c8ad6dc4de68b17e99157
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 38E06D79602228BAD7202BA2EC8DFEF3E6CFB43BA1F014015B105D10A09AA08980D6B0
                                                                                                                                                                                                                                                                                                                                                                                Function 00C48863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BC9693
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC9639: SelectObject.GDI32(?,00000000), ref: 00BC96A2
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC9639: BeginPath.GDI32(?), ref: 00BC96B9
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BC9639: SelectObject.GDI32(?,00000000), ref: 00BC96E2
                                                                                                                                                                                                                                                                                                                                                                                • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00C48887
                                                                                                                                                                                                                                                                                                                                                                                • LineTo.GDI32(?,?,?), ref: 00C48894
                                                                                                                                                                                                                                                                                                                                                                                • EndPath.GDI32(?), ref: 00C488A4
                                                                                                                                                                                                                                                                                                                                                                                • StrokePath.GDI32(?), ref: 00C488B2
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1539411459-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d68c37b1ec28d21605f01d9edd56da1d8cceb68a6c7d7e01cbb30879744cabfd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 125e697bb966bad5119395d86b4578a7263723f50e53ff2744a165941deb3bad
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d68c37b1ec28d21605f01d9edd56da1d8cceb68a6c7d7e01cbb30879744cabfd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7EF03A3A042258BAEB125F94AC09FCE3E59BF06710F048100FA12650E2C7755611CBA9
                                                                                                                                                                                                                                                                                                                                                                                Function 00BC98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColor.USER32(00000008), ref: 00BC98CC
                                                                                                                                                                                                                                                                                                                                                                                • SetTextColor.GDI32(?,?), ref: 00BC98D6
                                                                                                                                                                                                                                                                                                                                                                                • SetBkMode.GDI32(?,00000001), ref: 00BC98E9
                                                                                                                                                                                                                                                                                                                                                                                • GetStockObject.GDI32(00000005), ref: 00BC98F1
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Color$ModeObjectStockText
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4037423528-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 8a29b34c4f97e086259cca588303ee3cf826ac36cab35cc0aefa89676b97fc20
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: cf81a2dbefc4ad58db9afac45a4e1244069b661ab6fc57c82c0ae89a3b04aa01
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8a29b34c4f97e086259cca588303ee3cf826ac36cab35cc0aefa89676b97fc20
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9BE06D35645280AAEB615B74AC49BEC3F60FB16336F048319F6FA580F1C7B15640DF10
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentThread.KERNEL32 ref: 00C11634
                                                                                                                                                                                                                                                                                                                                                                                • OpenThreadToken.ADVAPI32(00000000,?,?,?,00C111D9), ref: 00C1163B
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C111D9), ref: 00C11648
                                                                                                                                                                                                                                                                                                                                                                                • OpenProcessToken.ADVAPI32(00000000,?,?,?,00C111D9), ref: 00C1164F
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CurrentOpenProcessThreadToken
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3974789173-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e8625a090be229f7d403b1077c701aceb171a7677d9b63928d4717dd3e2842ee
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 6b1e9618d9a4654af444fd22c1d1ffc1435f45810be80c28d89e5728cdb4705c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e8625a090be229f7d403b1077c701aceb171a7677d9b63928d4717dd3e2842ee
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0AE04F35602211DBD7B01FA09D4DB8A3B68FF467A1F184808F655C90A0D66845808B50
                                                                                                                                                                                                                                                                                                                                                                                Function 00C0D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetDesktopWindow.USER32 ref: 00C0D858
                                                                                                                                                                                                                                                                                                                                                                                • GetDC.USER32(00000000), ref: 00C0D862
                                                                                                                                                                                                                                                                                                                                                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C0D882
                                                                                                                                                                                                                                                                                                                                                                                • ReleaseDC.USER32(?), ref: 00C0D8A3
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2889604237-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: a86cfe2d98ad0ddc4a6f29a96ec71808f66bfc43135b4e5c9612413cbad0dc46
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: a63a4e0d6a03ac1762e2b8685acb5a652c429d66a88bb0e4f9a0ebe1ea29d221
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a86cfe2d98ad0ddc4a6f29a96ec71808f66bfc43135b4e5c9612413cbad0dc46
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 14E01AB8801204DFCB819FA0D888BADBBF1FB09310F11C099F816E7260C7388901EF40
                                                                                                                                                                                                                                                                                                                                                                                Function 00C0D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetDesktopWindow.USER32 ref: 00C0D86C
                                                                                                                                                                                                                                                                                                                                                                                • GetDC.USER32(00000000), ref: 00C0D876
                                                                                                                                                                                                                                                                                                                                                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C0D882
                                                                                                                                                                                                                                                                                                                                                                                • ReleaseDC.USER32(?), ref: 00C0D8A3
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2889604237-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: dde824895d1b38effe5f04d7aa6681a6f8a1cff4d48b724858f513d53bc3839e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 6c452d592986aa9b7ca691c0a7a8040f14466c1d053f63d60e1954279792c295
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dde824895d1b38effe5f04d7aa6681a6f8a1cff4d48b724858f513d53bc3839e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 70E01A78801200DFCB909FA0D8887ADBBF1BB08310B118048F81AE7260C73859019F40
                                                                                                                                                                                                                                                                                                                                                                                Function 00BBBBE0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 232COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • __Init_thread_footer.LIBCMT ref: 00BBBEB3
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Init_thread_footer
                                                                                                                                                                                                                                                                                                                                                                                • String ID: x$$
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1385522511-1009475463
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e580548f1cdafeef10e63aa75aaf1341f0b546ad8d38d0c74079c82bc5e7b1d9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: fbe5100fa8d4a7171eec9434610bb5657b49a733123daed96fd60e91e4258bbd
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e580548f1cdafeef10e63aa75aaf1341f0b546ad8d38d0c74079c82bc5e7b1d9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A6913975A0020ADFCB18CF59C490AFABBF1FF58314F2445AAD945AB350D7B1E981DB90
                                                                                                                                                                                                                                                                                                                                                                                Function 00C24D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB7620: _wcslen.LIBCMT ref: 00BB7625
                                                                                                                                                                                                                                                                                                                                                                                • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00C24ED4
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Connection_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: *$LPT
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1725874428-3443410124
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c8f88fdc94d80c15f8a1a9faae66659b24a1e6b458e5f2cf5474cc4f1c8cc55a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: dc20adeffa77f7f2edd940c69c901ef7735799f3dcc17f6941514ad97653b6c4
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c8f88fdc94d80c15f8a1a9faae66659b24a1e6b458e5f2cf5474cc4f1c8cc55a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B8918175A00214DFDB18DF98D584EAABBF1BF84304F158099E41A9F762C771EE85CB90
                                                                                                                                                                                                                                                                                                                                                                                Function 00BDE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • __startOneArgErrorHandling.LIBCMT ref: 00BDE30D
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorHandling__start
                                                                                                                                                                                                                                                                                                                                                                                • String ID: pow
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3213639722-2276729525
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 5791dd0cef295267ad27c0342664db68263ea342495aaad9b308748efd38919d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: c098f12692761c6e4f70ba7cd32602b877d0a08ad7320e8be9aaa29c3c32ee50
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5791dd0cef295267ad27c0342664db68263ea342495aaad9b308748efd38919d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 62518DA1A4C24296CB167715CD4177D7BE8DB00751F348AEAE0A54B3E9FF30CCC19A8A
                                                                                                                                                                                                                                                                                                                                                                                Function 00BCE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID: #
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 0-1885708031
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: a58b3fbea3f008f1c61c6acc10d64c9637006122dbc5b68dd0eb5029b7e9585d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: bc698e93b1ca9acdcf24054c7aed947968fe9ad22b7faeb7b51b6b64a84492be
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a58b3fbea3f008f1c61c6acc10d64c9637006122dbc5b68dd0eb5029b7e9585d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EB510175644246DFDB25DF28C481BFA7BE8EF55310F288499E8A19B2D0D734DE42CBA0
                                                                                                                                                                                                                                                                                                                                                                                Function 00BCF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(00000000), ref: 00BCF2A2
                                                                                                                                                                                                                                                                                                                                                                                • GlobalMemoryStatusEx.KERNEL32(?), ref: 00BCF2BB
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: GlobalMemorySleepStatus
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2783356886-2766056989
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 084ad54d3dd5ffa97139dfb5c8c785ca0628f3d4707e2f34e8aafa66c110c918
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 514e6e687b5b7db6bc75d6de5fdbcc9b59f0178d2bb0375091a2081f003f68e5
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 084ad54d3dd5ffa97139dfb5c8c785ca0628f3d4707e2f34e8aafa66c110c918
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D15136714087449BD320AF11DC86BBFBBF8FB84300F81889DF5D9811A5EBB08529CB66
                                                                                                                                                                                                                                                                                                                                                                                Function 00C35745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00C357E0
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C357EC
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: BuffCharUpper_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: CALLARGARRAY
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 157775604-1150593374
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c33a75173342e37bed0e2ff41829f42f09a4fa03b4165464dc70205afb863622
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 7d05c9b5f104fab559fc9682d37598c6ea103f945dc4b94d9f15c7c618f6d605
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c33a75173342e37bed0e2ff41829f42f09a4fa03b4165464dc70205afb863622
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4141AE71E102099FCB14DFA9C8819FEBBF5FF59324F104069E515A7291E7709E81CBA1
                                                                                                                                                                                                                                                                                                                                                                                Function 00C2D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C2D130
                                                                                                                                                                                                                                                                                                                                                                                • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C2D13A
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CrackInternet_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: |
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 596671847-2343686810
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 3ff4a3232ad208a14e4b0ae139563545f0da11ab252b271f02b529ae9c38c7d5
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 0ad99329d1f9e6b25d85f8ad6b833f68fa3a0d4c454f6e2ee57f9aa7d609106b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3ff4a3232ad208a14e4b0ae139563545f0da11ab252b271f02b529ae9c38c7d5
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 48313E71D00219AFCF15EFA5DC85AEEBFB9FF14310F100059F815A61A2E775AA16CB50
                                                                                                                                                                                                                                                                                                                                                                                Function 00C4356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • DestroyWindow.USER32(?,?,?,?), ref: 00C43621
                                                                                                                                                                                                                                                                                                                                                                                • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00C4365C
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$DestroyMove
                                                                                                                                                                                                                                                                                                                                                                                • String ID: static
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2139405536-2160076837
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d58fa3bad0741fd8b40f91866271a5e9e1035ca2a98fbad2dfbb243ffa83c98e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 4f3ca883191252a88b3cca49f7897d2d7086402485b60a455051ec077bff370d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d58fa3bad0741fd8b40f91866271a5e9e1035ca2a98fbad2dfbb243ffa83c98e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B7319C71110244AEDB10DF28DC81FFB73A9FF88720F018619F9A597290DA30AE91D764
                                                                                                                                                                                                                                                                                                                                                                                Function 00C44537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00C4461F
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C44634
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: '
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3850602802-1997036262
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 0ec94ad12c2cf02d55f87ffc73aed75b79173f30864292cf6aa57ab8fe0b9c31
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 5f1bd13fadaae44facee4a6e8fb872ac503e65f7f57c5c1ea1de159fe26efadf
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0ec94ad12c2cf02d55f87ffc73aed75b79173f30864292cf6aa57ab8fe0b9c31
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DE3118B4A012099FDF18CFA9C991BDABBF5FF49300F25406AE915AB351D770AA41CF90
                                                                                                                                                                                                                                                                                                                                                                                Function 00C431EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C4327C
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C43287
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Combobox
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3850602802-2096851135
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 5d3498ffea18820cb1060f3320ff35064f5cd467056bfdbec63505c83e237d6d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 8e669c8b189c0848e7eea57eda35030b7d50e10e7aa8987ffc43a72cd26a54eb
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5d3498ffea18820cb1060f3320ff35064f5cd467056bfdbec63505c83e237d6d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8511B2713002487FFF259E54DC81FBB37AAFB943A4F104225F92897292D6B19E518760
                                                                                                                                                                                                                                                                                                                                                                                Function 00C1EF10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 0V$HANDLE
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 176396367-142091961
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 84ac7b11544efbf482b662d40248536cb2456684061cc12b571c56acec4903d4
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3D11E1715101249AE7188F99D889BEDB3A8DF82721F60406AEC11CE0C4E7709EC2E714
                                                                                                                                                                                                                                                                                                                                                                                Function 00C43710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00BB604C
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB600E: GetStockObject.GDI32(00000011), ref: 00BB6060
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BB606A
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(00000000,?), ref: 00C4377A
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColor.USER32(00000012), ref: 00C43794
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                                                                                                                                                                                                                                                                                • String ID: static
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1983116058-2160076837
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f750b88ecff3f435d23cd98f04389aed47929d19e8b68b12193876a268165ce7
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 6dbc5cecc09520e35662922ee563d3760d78f978600d99d5bbf821d8b5dfba62
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f750b88ecff3f435d23cd98f04389aed47929d19e8b68b12193876a268165ce7
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 731159B2610209AFDB00DFA8CC46AEE7BF8FB09304F004514FDA5E2250D735E9119B50
                                                                                                                                                                                                                                                                                                                                                                                Function 00C2CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C2CD7D
                                                                                                                                                                                                                                                                                                                                                                                • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C2CDA6
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Internet$OpenOption
                                                                                                                                                                                                                                                                                                                                                                                • String ID: <local>
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 942729171-4266983199
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 79ce6d437c14d93c67f6c0054f825e6d382d071331c3dae361ac503be3760a15
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 62a8c2ceb6c975efbd8d8408997e2e86937eba5bc519a92bc0661ee5863ef34e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 79ce6d437c14d93c67f6c0054f825e6d382d071331c3dae361ac503be3760a15
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 50110675201A317AD7344B669CC4FEBBE6CEF127A4F004236F11983480D3709944D6F0
                                                                                                                                                                                                                                                                                                                                                                                Function 00C43429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowTextLengthW.USER32(00000000), ref: 00C434AB
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00C434BA
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: LengthMessageSendTextWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: edit
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2978978980-2167791130
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 6a7974869979fff587a0ae9be4df0d6f9c7111d2549861ec69371dd8a0ad8626
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 4a94f5f492bd27189af10ea2b1826f055d4eb7610178ea805c4c3c42849fe779
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6a7974869979fff587a0ae9be4df0d6f9c7111d2549861ec69371dd8a0ad8626
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4C119A71200248ABEB129E64DC84BEA3BAAFB95374F505324F970931E0C775DE519B60
                                                                                                                                                                                                                                                                                                                                                                                Function 00C16C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD
                                                                                                                                                                                                                                                                                                                                                                                • CharUpperBuffW.USER32(?,?,?), ref: 00C16CB6
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00C16CC2
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen$BuffCharUpper
                                                                                                                                                                                                                                                                                                                                                                                • String ID: STOP
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1256254125-2411985666
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d8314506fa23281a0c870e5a5b55a2f74e143ff78427289ecc310334961569d9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 4909725e18d2b1b9230b700026409f334d43f1f4482136ab0c31368589052d5f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d8314506fa23281a0c870e5a5b55a2f74e143ff78427289ecc310334961569d9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9A01D232A105268BCB20AFFDDC909FF77F5FB627107500968E86297190EB71DA80D790
                                                                                                                                                                                                                                                                                                                                                                                Function 00C11CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C13CCA
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C11D4C
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: ComboBox$ListBox
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 624084870-1403004172
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ea612ef2b162a56d4b803e91cd2917022e58dfea966af8b92eb601a70654efa6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ef7c970dbcfa858b4ac0fa49180df78cb7e49c95c25169d82a698c3d2e6e635b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ea612ef2b162a56d4b803e91cd2917022e58dfea966af8b92eb601a70654efa6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 96012431601218AB8B09FBA0DC51DFE77A8FB03390B180619FD32673C1EA745948E660
                                                                                                                                                                                                                                                                                                                                                                                Function 00C11BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C13CCA
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000180,00000000,?), ref: 00C11C46
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: ComboBox$ListBox
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 624084870-1403004172
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: bf955fa3c6a7829f165f82344a3c99749c1b2b61616aadc80d6f232d95d44328
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: be50def9aaef11c6ac4eaaec56d496186d9c21161beee2cce946b03066a0eb5a
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bf955fa3c6a7829f165f82344a3c99749c1b2b61616aadc80d6f232d95d44328
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E9016775781108A7CB14EB90CD61AFF77E89B17380F140059BA1667281EA649F48A6F1
                                                                                                                                                                                                                                                                                                                                                                                Function 00C11C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C13CCA
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000182,?,00000000), ref: 00C11CC8
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: ComboBox$ListBox
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 624084870-1403004172
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: abd8df7945d843cb3f01baa0d4765bf1b54cf123926c2ab26c24e2de21520902
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 084225848196a269ce30194a5351de3d639daf60aed9e4399d9bc8986cd11049
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: abd8df7945d843cb3f01baa0d4765bf1b54cf123926c2ab26c24e2de21520902
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BC01D67568111867CF04EBA4CE61AFF77E89B13380F180015BE0673281EAA49F48E6F1
                                                                                                                                                                                                                                                                                                                                                                                Function 00C11D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C13CCA
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00C11DD3
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: ComboBox$ListBox
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 624084870-1403004172
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e5bf1601768716205b61b091628a2883877da7c849ef483449152ce596bda818
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 77004bdd7cceb02d42714496ee561f293db7a26d9b45b970732d613640ba7142
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e5bf1601768716205b61b091628a2883877da7c849ef483449152ce596bda818
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 25F0CD71B5121867DB05F7A4DC91FFF77B8AB03390F140915BD26632C1EAA45A489260
                                                                                                                                                                                                                                                                                                                                                                                Function 00C3747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 3, 3, 16, 1
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 176396367-3042988571
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d6c88c031454d335d2e771bf14c4d0c60dc2657807902aa920471cf88546536d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 2a7ec669c8fd5dbca7ed4033ffa0efcd8899a20a7a48b6c04757f7fccd2e1485
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d6c88c031454d335d2e771bf14c4d0c60dc2657807902aa920471cf88546536d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8BE06182324320259331237BDCC197F96C9CFC9790B10192BF9C5C2366FBA8DE9193A0
                                                                                                                                                                                                                                                                                                                                                                                Function 00C10B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C10B23
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Message
                                                                                                                                                                                                                                                                                                                                                                                • String ID: AutoIt$Error allocating memory.
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2030045667-4017498283
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: da27444fbde226fb3f9d128ea8c78499c24c82d67b26722637d0a325616c5bb8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ca91d0ffd2ea7e17d9aa1944f2106169f79967a746c8f890e1ed39d9cb2136d3
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: da27444fbde226fb3f9d128ea8c78499c24c82d67b26722637d0a325616c5bb8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 95E0D83128531937D21437957C43FD97BC49F05B21F1044BAFB98555D38AE1289006E9
                                                                                                                                                                                                                                                                                                                                                                                Function 00BD0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00BCF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00BD0D71,?,?,?,00BB100A), ref: 00BCF7CE
                                                                                                                                                                                                                                                                                                                                                                                • IsDebuggerPresent.KERNEL32(?,?,?,00BB100A), ref: 00BD0D75
                                                                                                                                                                                                                                                                                                                                                                                • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00BB100A), ref: 00BD0D84
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00BD0D7F
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                                                                                                                                                                                                                                                                                                                                • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 55579361-631824599
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 1ccdb2b4fda3eba2a99c31c92f637e49cb15f66da0f3a55735cd8a17ec361939
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: c728d31762f6a5507f284d0c8d8c744a7f520614dc2a0617e5850e40e426fc77
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1ccdb2b4fda3eba2a99c31c92f637e49cb15f66da0f3a55735cd8a17ec361939
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 93E06DB42003018BD770AFB9E444756BBE5BB04741F0089BEE882C6761EBF4E4458BA1
                                                                                                                                                                                                                                                                                                                                                                                Function 00C23017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00C2302F
                                                                                                                                                                                                                                                                                                                                                                                • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00C23044
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Temp$FileNamePath
                                                                                                                                                                                                                                                                                                                                                                                • String ID: aut
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3285503233-3010740371
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 57d0e0b38a689c49ad51676fdec8e7767ab2ef36700174ffffed21584318cbc1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 6350ff4d0805f39df65ca5240afd9e74aa03cfe85fc1f7bf5a19070c99ce60ec
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 57d0e0b38a689c49ad51676fdec8e7767ab2ef36700174ffffed21584318cbc1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B6D05EB650132867DA70A7A5AC4EFCB3A6CEB05760F0002A1B655E20A1DAF49984CAD4
                                                                                                                                                                                                                                                                                                                                                                                Function 00C42356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C4236C
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(00000000), ref: 00C42373
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1E97B: Sleep.KERNEL32 ref: 00C1E9F3
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: FindMessagePostSleepWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Shell_TrayWnd
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 529655941-2988720461
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f476d18a2971895812c34bd746b458fae733da077ff90bb4e63f18bee00a11ef
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: d617d3ff6131a68cb65b8c4cfc5bdb9c97a3319493b60f236d00128e1ce0acf9
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f476d18a2971895812c34bd746b458fae733da077ff90bb4e63f18bee00a11ef
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 73D022363C23007BE2A8B331EC4FFCE7614AB02B00F0089127706EA0E0C8F0B840CA04
                                                                                                                                                                                                                                                                                                                                                                                Function 00C42322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C4232C
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00C4233F
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00C1E97B: Sleep.KERNEL32 ref: 00C1E9F3
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: FindMessagePostSleepWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Shell_TrayWnd
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 529655941-2988720461
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: b904c19ec26aef987a0dbd641e328e048f11894050dcd05e0e358da2e9d8087f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: cafb4d27d05e8d19069530c57d901c68c7fdbd8adefcde7824542b19f21b2618
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b904c19ec26aef987a0dbd641e328e048f11894050dcd05e0e358da2e9d8087f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CAD0223A385300B7E2A8B331EC4FFCE7A14AB01B00F008912770AEA0E0C8F0A840CA00
                                                                                                                                                                                                                                                                                                                                                                                Function 00BEBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00BEBE93
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00BEBEA1
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BEBEFC
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1413927231.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1413879591.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414088717.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414227689.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1414259843.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_bb0000_P0HV8mjHS1.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1717984340-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c2cc3e892794ad24281946c194266d72819e40c6334f94275217bf36a4656a91
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 86dc28cb73998354e7ff9a75162240cba97640e4e3520ce467cfe4efe7fbc967
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c2cc3e892794ad24281946c194266d72819e40c6334f94275217bf36a4656a91
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6441A435605286ABCB218F66CC94FBBBBE5EF41310F1441E9F959572A1DB308D01DBA0